feat(docker): apply git_user via git config --global on provision (issue #86)

Add a third provisioning subcase to
`backend/docker/provision/git.py`:

  _provision_git_user(plan, target)

Runs `docker exec -u node <container> git config --global
user.{name,email} <value>` for each field the bottle's
`git_user` declares. No-op when `git_user.is_empty()`.

`-u node` so `--global` lands in /home/node/.gitconfig (matching
the existing `_provision_git_gate_config` write location, so
agent-side `git` reads both configs from the same dotfile).

Name and email apply independently — a bottle declaring only
name runs just the user.name line, etc.

4 unit tests in `test_docker_provision_git_user.py`: no-op,
both-set, name-only, email-only. 657 unit tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/backend/docker/provision/git.py

@@ -1,6 +1,6 @@
 """Git provisioning inside a running Docker bottle.
 
-Two concerns, both about git in the agent:
+Three concerns, all about git in the agent:
 
   1. If --cwd was passed AND the host cwd has a .git, copy that .git
      into /home/node/workspace/.git so the agent operates on the
@@ -11,6 +11,9 @@ Two concerns, both about git in the agent:
      ls-remote) transparently hits the per-agent git-gate. The
      gate mirrors the upstream in both directions, so URL
      rewriting is symmetric.
+  3. If the bottle declares `git_user` (issue #86), set
+     `git config --global user.{name,email}` inside the bottle so
+     the agent's commits are attributed to that identity.
 """
 
 from __future__ import annotations
@@ -26,10 +29,11 @@ from ..bottle_plan import DockerBottlePlan
 
 
 def provision_git(plan: DockerBottlePlan, target: str) -> None:
-    """Set up git inside the bottle. Runs both subcases; each no-ops
-    when its condition isn't met."""
+    """Set up git inside the bottle. Runs all three subcases; each
+    no-ops when its condition isn't met."""
     _provision_cwd_git(plan, target)
     _provision_git_gate_config(plan, target)
+    _provision_git_user(plan, target)
 
 
 def _provision_cwd_git(plan: DockerBottlePlan, target: str) -> None:
@@ -78,3 +82,40 @@ def _provision_git_gate_config(plan: DockerBottlePlan, target: str) -> None:
     )
     docker_mod.docker_exec_root(container, ["chown", "node:node", container_gitconfig])
     docker_mod.docker_exec_root(container, ["chmod", "644", container_gitconfig])
+
+
+def _provision_git_user(plan: DockerBottlePlan, target: str) -> None:
+    """Apply `git config --global user.{name,email}` inside the
+    bottle so the agent's commits are attributed to the operator-
+    chosen identity instead of the agent image's default
+    (which is no user — git would refuse to commit at all
+    until the agent ran its own `git config`).
+
+    Runs as the `node` user so `--global` lands in
+    `/home/node/.gitconfig` (matching the existing
+    `_provision_git_gate_config` write location). No-op when the
+    bottle didn't declare `git_user`.
+
+    Each field set independently — name-only or email-only
+    configs only run the `git config` line for the field
+    present."""
+    bottle = plan.spec.manifest.bottle_for(plan.spec.agent_name)
+    gu = bottle.git_user
+    if gu.is_empty():
+        return
+    if gu.name:
+        info(f"git config --global user.name = {gu.name!r}")
+        subprocess.run(
+            ["docker", "exec", "-u", "node", target,
+             "git", "config", "--global", "user.name", gu.name],
+            stdout=subprocess.DEVNULL,
+            check=True,
+        )
+    if gu.email:
+        info(f"git config --global user.email = {gu.email!r}")
+        subprocess.run(
+            ["docker", "exec", "-u", "node", target,
+             "git", "config", "--global", "user.email", gu.email],
+            stdout=subprocess.DEVNULL,
+            check=True,
+        )