fix(#1430): Prevent shell injection from commit messages

Backticks in git commit -m messages can trigger shell expansion
during hook processing. This adds:

  - .githooks/pre-commit: warns when commit message contains
    backticks (reads COMMIT_EDITMSG, warns but does not block)
  - scripts/safe-commit.sh: safe commit wrapper using -F <file>
    instead of -m (prevents all shell expansion)
  - docs/SAFE_COMMIT_PATTERNS.md: documents safe patterns and
    what NOT to do

The repo hooks (pre-commit, stale-pr-closer) are already clean.
This is preventive hardening + documentation.

Fixes #1430

scripts/safe-commit.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# ═══════════════════════════════════════════════════════════════
+# safe-commit.sh — Commit with message from file (prevents shell injection)
+#
+# Issue #1430: Backticks in commit messages can trigger shell
+# substitution during git hook processing. Using -F <file> instead
+# of -m prevents this.
+#
+# Usage:
+#   ./scripts/safe-commit.sh "my commit message"
+#   ./scripts/safe-commit.sh -F message.txt
+#   echo "message" | ./scripts/safe-commit.sh --stdin
+# ═══════════════════════════════════════════════════════════════
+set -euo pipefail
+
+TMPFILE=$(mktemp /tmp/commit-msg-XXXXXX)
+trap "rm -f $TMPFILE" EXIT
+
+if [ "${1:-}" = "-F" ] && [ -n "${2:-}" ]; then
+    # Use provided file
+    cp "$2" "$TMPFILE"
+elif [ "${1:-}" = "--stdin" ]; then
+    # Read from stdin
+    cat > "$TMPFILE"
+elif [ -n "${1:-}" ]; then
+    # Write argument to temp file (no shell expansion)
+    printf '%s' "$1" > "$TMPFILE"
+else
+    echo "Usage: $0 <message> | $0 -F <file> | $0 --stdin"
+    echo ""
+    echo "Always uses git commit -F to prevent shell injection."
+    exit 1
+fi
+
+# Stage all changes
+git add -A
+
+# Commit using file (no shell expansion of message content)
+git commit -F "$TMPFILE"
+
+echo "✓ Committed safely (no shell expansion)"