feat: add secure envsitter dotenv operations

Expose validate/copy/format/annotate tools with dry-run by default, and switch is_equal matching to candidate hashing. Remove prompt-append warning to avoid writing into OpenCode input.

test/envsitter-guard.hook.test.ts

@@ -19,12 +19,11 @@ function createClientSpy(): {
     client: {
         tui: {
             showToast: (input: { body: { title: string; variant: string; message: string } }) => Promise<void>;
-            appendPrompt: (input: { body: { text: string } }) => Promise<void>;
         };
     };
-    calls: { showToast: number; appendPrompt: number };
+    calls: { showToast: number };
 } {
-    const calls = { showToast: 0, appendPrompt: 0 };
+    const calls = { showToast: 0 };
 
     return {
         calls,
@@ -33,9 +32,6 @@ function createClientSpy(): {
                 async showToast() {
                     calls.showToast += 1;
                 },
-                async appendPrompt() {
-                    calls.appendPrompt += 1;
-                },
             },
         },
     };
@@ -117,5 +113,4 @@ test("toasts are throttled", async () => {
     await assert.rejects(() => hook({ tool: "read", sessionID: "s", callID: "c" }, { args: { filePath: ".env" } }));
 
     assert.equal(calls.showToast, 1);
-    assert.equal(calls.appendPrompt, 1);
 });