fix: deep review fixes

[11me]

Summary

Iterative codex deep review + fix cycle (5 iterations, 16 fixes).

Security:

• Mitigate prompt injection via untrusted tool output in hook (sanitize backticks, code-fence isolation)
• Anchor remote regex to github.com/heurema org to prevent substring false matches
• Route auto-report through /report flow instead of direct gh issue create

Bug fixes:

• Prevent grep from killing hook under set -euo pipefail (missing || true)
• Keep temp file alive for retry path (was deleted before retry could use it)
• Merge submission + retry into single bash block to avoid EXIT trap race
• Track gh issue create exit status properly, surface real errors instead of swallowing all as label failures
• Detect gh auth via exit code instead of fragile string matching
• Fix clipboard fallback: accurate status message, conditional cleanup
• Handle SSH remotes and non-heurema repos in detection
• Exit early when jq is not installed (silent dependency)

Consistency:

• Expand hook product list to match documented products
• Add signum/delve to CLI product list
• Expand manual fallback product choices
• Show destination repo in issue preview
• Document PostToolUse hook in architecture docs
• Clarify conditional temp file cleanup rule

Test plan

• Verify /report bug flow with gh available
• Verify /report fallback when gh is unavailable
• Verify hook fires for known products (signum, herald, etc.)
• Verify hook does NOT fire for non-heurema commands
• Verify SSH remote detection works (git@github.com:heurema/repo.git)