feat: GitHub App integration for agent bot identity

[federiconeri]

Summary

The wiggum agent currently posts GitHub comments (issue updates, tech debt issues) using the authenticated user's gh CLI session. Comments should appear as a dedicated bot account for clarity and separation of concerns.

Proposed approach: GitHub App

Register a Wiggum GitHub App that:

• Users install on their repos
• Comments appear as wiggum[bot] — clearly identifiable as automated
• The CLI generates installation tokens from the App ID + private key
• No manual PAT management needed by users

Implementation outline

1. Register a "Wiggum" GitHub App on GitHub with permissions: issues: write, pull_requests: write
2. Add App authentication to the CLI:
   • Store App ID + private key (via config or env)
   • Generate JWT from private key
   • Create installation access tokens for the target repo
   • Pass token as GH_TOKEN to gh CLI commands in src/agent/tools/reporting.ts
3. Add wiggum setup github-app command to guide users through installation
4. Fallback: if no App configured, use existing gh auth session (current behavior)

Context

• Reporting tools: src/agent/tools/reporting.ts (commentOnIssue, createTechDebtIssue)
• All GitHub operations use execFile('gh', ...) — the GH_TOKEN env var overrides auth
• Bot account already exists: https://github.com/wiggum-agent (federiconr+wiggum@gmail.com)

Interim workaround

Users can set WIGGUM_AGENT_GITHUB_TOKEN (a PAT for a bot account) in .ralph/.env.local and modify ghExec() to pass it as GH_TOKEN. This is a simpler approach for single-user setups.