security(copilot): Add review gate before auto-push on /copilot commands

[peteroden]

Problem

/copilot comments accept arbitrary user text as the LLM prompt. A malicious prompt could instruct the agent to generate destructive changes (delete files, overwrite configs, inject backdoors). Currently all changes are auto-pushed without human review.

Risk

OWASP: A04 Insecure Design
Severity: Medium
Impact: Malicious code pushed to branch via prompt injection

Proposed Solution

Add an opt-in review gate: instead of auto-pushing, post the diff as a MR comment for human approval. Only push after explicit confirmation (e.g., /copilot approve or thumbs-up reaction).

Acceptance Criteria

• Configuration option to enable review gate (COPILOT_REVIEW_GATE=true)
• When enabled: agent posts diff as MR comment instead of pushing
• Human confirms via reaction or follow-up command → agent pushes
• When disabled: current auto-push behavior preserved (backward compatible)
• Documentation updated

Context

Identified during OWASP review of #144. See docs/wiki/security-model.md → Recommended Hardening #12 and Residual Risks #5.