feat(cloud): instruct agent to create signed commits via GraphQL API

[Piccirello]

Problem

Cloud agent commits land unsigned because the sandbox runs git commit with no signing key. This prevents us from enforcing signed commits in our repos.

Changes

Switch the cloud system prompt to instruct the agent to use GitHub's createCommitOnBranch mutation instead, which signs commits with the API token identity automatically.

How did you test this?

Untested tbqh

Publish to changelog?

Yes!

[greptile-apps]

Prompt To Fix All With AI

Fix the following 3 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 3
packages/agent/src/server/agent-server.ts:1633-1637
**Broken heredoc — unterminated shell construct**

The heredoc uses `<<'EOF'` but the terminator `   EOF` is indented with three spaces. POSIX shell requires the terminator for `<<'EOF'` to appear at column 0 — a leading space means the shell will never see the end of the heredoc, consuming the rest of the script as literal content. The `<<-'EOF'` variant strips leading *tabs* only, not spaces, so re-indenting with tabs would fix it — but the cleanest fix is to simply not indent the heredoc body and terminator relative to the outer code block.

### Issue 2 of 3
packages/agent/src/server/agent-server.ts:1651-1654
**`git reset --hard` discards uncommitted working-tree changes**

The instructions say "For *each* commit you want to make", so the agent may loop through steps 1–5 multiple times. After step 5's `git reset --hard "origin/$BRANCH_NAME"`, any files the agent had modified but not yet staged (intended for a later commit) are permanently gone. A safer alternative after the mutation succeeds is to update only the branch ref without touching the working tree, e.g. `git update-ref refs/heads/"$BRANCH_NAME" "$NEW_OID"` and then `git fetch origin "$BRANCH_NAME"` without the hard reset.

### Issue 3 of 3
packages/agent/src/server/agent-server.ts:1607-1629
**`$BRANCH_TIP_SHA` used before it is assigned**

Step 3's bash snippet references `"$BRANCH_TIP_SHA"` in the `git diff` invocation, but the variable is never assigned inside that snippet. Step 2 tells the agent to "determine the branch's current tip SHA" in prose, but there is no shell command that exports `BRANCH_TIP_SHA` before the snippet in step 3 uses it. The agent would have to infer the assignment (e.g. `BRANCH_TIP_SHA=$(git rev-parse HEAD)`). Making the assignment explicit in the snippet, or adding it as the first line of the step-3 code block, would make this self-contained and less fragile.

_{Reviews (1): Last reviewed commit: "feat(cloud): instruct agent to create si..." | Re-trigger Greptile}