feat: v0.2.0 expanded hardening

Add gitleaks pre-commit hook, global gitignore, plaintext credential
detection, SSH key hygiene audit, 8 new git config settings, and
safe.directory wildcard detection. Fix ssh-keygen macOS compatibility,
FIDO2 detection via ioreg, and interactive test isolation.

Implements docs/specs/2026-03-31-v0.2.0-expanded-hardening.md

Co-Authored-By: Claude <noreply@anthropic.com>

test/interactive/test-full-accept.sh

@@ -26,9 +26,11 @@ main() {
     wait_for "Proceed with hardening"
     send "y" Enter
 
-    # Accept each setting prompt by sending "y" + Enter repeatedly
+    # Accept each setting prompt by sending "y" + Enter repeatedly.
+    # v0.2.0 adds more prompts (pre-commit hook, gitignore, core.symlinks),
+    # so we need enough iterations to get through all of them.
     local pane_content
-    for _ in $(seq 1 30); do
+    for _ in $(seq 1 50); do
         sleep 0.3
         pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
         if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
@@ -41,7 +43,7 @@ main() {
     done
 
     # Signing wizard — skip
-    wait_for "Signing key options" 15
+    wait_for "Signing key options" 20
     send "s" Enter
 
     # Wait for completion