fix: address LCM/SM review blockers R1, RA, R11, RB

[harshitsinghbhandari]

Summary

Four narrowly-scoped fixes against the LCM + Session Manager lane, from an external review of the current backend state.

Out of scope for this PR:

• R2 (failed-restore lifecycle stranding) and R3 (Restore bypassing LCM lock) — both close via aa-11's PR fix: reconcile LCM writer contract #15 (fix/lcm-writer-contract), which introduces LifecycleManager.OnSpawnInitiated and re-routes Manager.Restore through the LCM. Implementing R2 here would duplicate logic and conflict.
• Persistence-pipeline changes (Apply*/Upsert) — aa-11's territory.

Fixes

R1 (BLOCKER) — Spawn never persisted AgentSessionID so Restore always failed

Manager.Spawn built SpawnOutcome with an empty AgentSessionID, so MetaAgentSessionID was never written, and Manager.Restore's metadata check hard-failed every time.

Picked the fresh-launch fallback path (the agent's id-capture is a separate hook that may never have run, so there is nowhere to plumb an id-bearing return today):

• Added Prompt to ports.SpawnOutcome and MetaPrompt to the lifecycle metadata key set.
• Manager.Spawn now passes the assembled prompt; spawnMetadata persists it.
• Manager.Restore falls back to Agent.GetLaunchCommand with the seeded prompt when no agent session id is on hand. Restore still fails fast when neither is present — there's nothing to relaunch from.

RA (BLOCKER) — git worktree remove --force deleted dirty worktrees

adapters/workspace/gitworktree/commands.go passed --force, destroying uncommitted agent work and violating the worktree-remove safety invariant.

• Renamed worktreeRemoveForceArgs → worktreeRemoveArgs and dropped --force. The existing post-prune "still registered" guard in Workspace.Destroy now surfaces the refusal to Manager.Cleanup, which routes the session to Skipped.
• Added a belt-and-braces assertion in the destroy test that --force/-f are NEVER passed.

R11 (SHOULD-FIX) — OrchestratorEvent.ProjectID never populated

Both Notify call sites in reactions.go built events without ProjectID even though the struct supports it.

• Captured projectID on the transition struct (read from the record already loaded at the top of mutate) and on reactionTracker (so TickEscalations, which has no transition on hand, can still populate it).
• Threaded the value through react → executeReaction → sendToAgent → escalate and set it on both Notify call sites.

RB (SHOULD-FIX) — session/project ids could escape the project root

Workspace.managedPath used filepath.Join which cleans .. segments before validateManagedPath ran, so session="../other" stayed inside managedRoot while breaking per-project isolation.

• validateConfig now rejects path separators (/, \) and the ./.. components on ProjectID and SessionID at the source.

Test plan

• go build ./... passes
• go vet ./... passes
• go test -race ./... passes (238 tests across 12 packages)
• New focused tests:
  • TestRestore_NoAgentSessionID_FreshLaunchFallback — restore succeeds via fresh launch when no id was captured
  • TestRestore_NoIDAndNoPrompt_Errors — restore still fails fast with no id and no prompt
  • TestReaction_ProjectIDOnNotifyAndEscalateEvents (notify path, numeric-escalate path, TickEscalations path)
  • TestValidateConfigRejectsPathEscapingIDs + TestValidateConfigAcceptsBenignIDs
  • TestDestroyRefusesStillRegisteredPathAndPreservesDirectory extended to assert no --force flag
• Existing TestSpawn_HappyPath updated to assert MetaPrompt is persisted

🤖 Generated with Claude Code