[Fix] Guard likely owner commit links

[samzong]

What's changed?

• Trim likely owner commit entries before rendering them.
• Render only SHA-like values as commit links in Likely related people.
• Add unit coverage for mixed provenance where a PR URL is present alongside a valid commit SHA.

Why

ClawSweeper public comments can receive non-SHA provenance strings in likelyOwners[].commits. Before this change, those values were passed directly to the commit-link renderer, producing invalid GitHub commit URLs in visible comments.

Evidence from existing public ClawSweeper comments:

• [Bug]: cached plugin tool wrapper uses plugin-level declaredNames as per-factory runtime identity openclaw#78671 (comment) rendered a PR URL as /commit/https://github.com/openclaw/openclaw/pull/76079.
• [Bug]: ACP child sessions report stopReason="stop" with usage=0 before harness completes, causing parent agents to abandon mid-flight openclaw#72080 (comment) rendered #23580 as /commit/#23580.
• [Bug] Telegram forum topic: automatic agent replies not delivered to topic thread (responses silently lost) openclaw#77514 (comment) rendered #73046 and #727 as commit links.
• fix(qqbot): require auth for bot-clear-storage openclaw#71158 (comment) rendered PR #67960 as /commit/PR #67960.
• [Bug]: Active-memory on multi-agent Telegram gateway is inconsistent (ok / empty / timeout) and not safe to enable globally openclaw#75176 (comment) rendered several PR #... entries as commit links.
• openai-codex provider broken since 2026.4.5 — Cloudflare challenge + missing OAuth scope openclaw#68033 (comment) rendered PR #64713, PR #67642, and PR #67704 as commit links.

Validation

• pnpm run check
• /pre-ship --committed: 0 MUST-FIX findings, no deferred findings