Rewrite onboarding prose to a neutral voice

scripts/git-credential-forge.py

@@ -16,7 +16,7 @@ On every ``get`` the helper:
    unchanged so the normal prompt chain continues.
 2. Checks that the git request host matches the host recorded in
    ``_forge_gitea_base_url`` (or ``FORGE_GITEA_URL``). If not, passes
-   through: this ensures we never hand OAuth tokens to unrelated
+   through: this prevents OAuth token disclosure to unrelated
    hosts even if git mis-scopes its lookup.
 3. If ``gitea_access_token`` is live, emits
    ``username=<stored-user>`` and ``password=<gitea_access_token>``.
@@ -29,7 +29,7 @@ Security notes
 --------------
 * The helper never writes to stdout except the credential key=value
   block. Logs go to stderr.
-* On OAuth refresh failure we exit **non-zero** rather than silently
+* On OAuth refresh failure the process exits **non-zero** rather than silently
   returning stale credentials.
 """
 from __future__ import annotations
@@ -93,7 +93,7 @@ def _configured_host() -> tuple[str, str, int | None] | None:
 
     Priority:
         1. The ``_forge_gitea_base_url`` field inside the stored auth
-           file: that is the host we actually authenticated against.
+           file: the authenticated host.
         2. The ``FORGE_GITEA_URL`` env var (pre-login override).
     Returns None if neither is set; the helper then passes through.
     """
@@ -150,7 +150,7 @@ def _request_matches(
 def cmd_get(fields: dict[str, str]) -> int:
     configured = _configured_host()
     if configured is None:
-        emit(fields)  # pass-through: we don't know who we answer for
+        emit(fields)  # pass-through: helper scope is undefined
         return 0
     if not _request_matches(fields, configured):
         emit(fields)  # pass-through: request is for a different host