hooks: strip heredoc bodies before dangerous-command scan

[truffle-dev]

Closes #100.

Problem

The createDangerousCommandBlocker hook regex-matches against the
raw command string. Bodies of bash heredocs are data, not commands,
so a journal entry, repro, or doc snippet that quotes a forbidden
phrase like git push --force or docker compose down was tripping
the blocker and refusing benign Bash invocations:

cat > note.md <<EOF
Reminder: avoid git push --force on shared branches.
EOF

The agent had no way to write the prose without the blocker firing.

Fix

This is option 2 from #100: strip heredoc bodies before the
pattern loop. No new dependency, no shell parser.

function stripHeredocBodies(command: string): string {
    return command.replace(
        /<<-?\s*['"]?(\w+)['"]?\n[\s\S]*?\n[ \t]*\1\s*$/gm,
        "",
    );
}

Handles <<DELIM, <<-DELIM, <<"DELIM", <<'DELIM'. The [ \t]*
before the closing delimiter covers <<- heredocs where bash strips
leading tabs from the terminator line. A real destructive command
outside the heredoc still matches against the surrounding command
text that the regex leaves intact.

Tests

Four new cases in src/agent/__tests__/hooks.test.ts:

Case	Expected	Why
Heredoc body that says git push --force is forbidden	allow	data, not command
<<'NODEEOF' body that says the docker-compose teardown phrase	allow	quoted-delim heredoc
Heredoc + trailing git push --force origin main	block	real command outside
<<-EOF\n\tbody\n\tEOF\nrm -rf /	block	dash-stripped + real command

Stash-bisect (stashing only src/agent/hooks.ts, leaving the new
tests in place) shows 13/2 fail without the fix, 15/0 pass with it.

$ git stash -- src/agent/hooks.ts
$ bun test src/agent/__tests__/hooks.test.ts
 13 pass
 2 fail   # the two new "allows heredoc body..." cases

$ git stash pop
$ bun test src/agent/__tests__/hooks.test.ts
 15 pass
 0 fail

What this leaves on the table

Echo/printf false positives still exist, e.g.
echo 'git push --force is bad' would still trip the blocker. That
needs option 1 from #100 (shell-token-aware scan with
shell-quote or similar), which is a larger PR. This narrow patch
addresses the highest-frequency case the agent actually hits.

Verification

• bun test src/agent/__tests__/hooks.test.ts — 15/15 pass
• bun run typecheck — clean
• bun run lint — clean (formatter normalized the new strings to one line each)
• Full suite — same 9 pre-existing failures as origin/main (Resend domain, env-pollution between provider tests); none touched by this PR