Set SSH_AUTH_SOCK for git operations

The sandboxed shell environment does not inherit the user's SSH agent socket. Any git push, git fetch, or git pull will fail with "Permission denied (publickey)" unless SSH_AUTH_SOCK is explicitly exported first.

Why: The user's terminal has an SSH agent running with the key unlocked, but the sandbox starts with an empty SSH_AUTH_SOCK. The git remote uses SSH (git@github.com:), and without the agent the connection fails on authentication.

How to apply: Anything run through compass (pr create, pr sync, capture promote, task start, …) needs no setup: compass.sh exports SSH_AUTH_SOCK automatically from the sole socket in ORES_SSH_AGENT_DIR (from .env; default ~/.ssh/agent) when the calling environment does not provide a live one. For raw git commands, source the project script first:

export SSH_AUTH_SOCK=$(ls -d ~/.ssh/agent/* 2>/dev/null | head -1)
git push origin ...

The script reads the sole file in /home/marco/.ssh/agent/ and exports SSH_AUTH_SOCK from it. The filename changes when the agent restarts (reboot, crash), but the directory is stable, so the script always finds the current socket without manual intervention.

Do not probe /run/user/*/gnupg/ or other sockets. The GPG agent SSH emulation socket (S.gpg-agent.ssh) is a different thing and must not be touched.