Audit: Guardrails & observability fixes

[flyingrobots]

Summary

Forensic architectural audit identified several operational gaps. This issue tracks PR #1 (guardrails).

Fixes in this issue

• RISK-002 (Sev-2): processCommitCmd uses execSync with SHA interpolation — replace with execFileSync
• RISK-003 (Sev-2): npm run lint is dead — ESLint 9 requires flat config, none exists
• RISK-006 (Sev-3): No test coverage reporting in CI

Backlog (follow-up issues)

• FIX-004: Document GITMIND_AGENT security model
• FIX-007: Update README.md to v4.0.1 (M12/M13 features undocumented)
• FIX-008: Update GUIDE.md with content, extension, set/unset commands
• FIX-009: npm audit fix for dev dependencies (6 CVEs, all dev-only)

Audit Report

Full report at ~/git/JAMES_ROSS_REPORTS/audit/git-mind/AUDIT_REPORT.md