fix: request_apply_commit resolves sha locally + rejects non-sha refs

hive-ag3nt/src/mcp.rs

@@ -738,7 +738,9 @@ pub struct RequestApplyCommitArgs {
     /// Agent whose config repo the commit lives in (use `"hm1nd"` for the
     /// manager's own config).
     pub agent: String,
-    /// Git sha (full or short) pointing at the proposed `agent.nix`.
+    /// Commit sha (full or short, 7-40 hex chars) in that agent's
+    /// proposed config repo. Must be a sha — a branch or tag name
+    /// (e.g. `main`) is rejected; the approval pins the exact commit.
     pub commit_ref: String,
     /// Optional description shown on the dashboard approval card so the
     /// operator knows what the change does without opening the diff.
@@ -991,8 +993,10 @@ impl ManagerServer {
 
     #[tool(
         description = "Submit a config change for operator approval. Pass the agent name \
-        (e.g. `alice` or `hm1nd` for the manager's own config) and a commit sha in that \
-        agent's proposed config repo. On approval hive-c0re rebuilds the container."
+        (e.g. `alice` or `hm1nd` for the manager's own config) and a commit sha (7-40 hex \
+        chars, full or short) in that agent's proposed config repo — a branch/tag name like \
+        `main` is rejected, the approval pins the exact commit. On approval hive-c0re \
+        rebuilds the container."
     )]
     async fn request_apply_commit(
         &self,