[Task] Harden release agent safety gates

[ashleyshaw]

Is your code refactoring request related to a problem?

The current release agent can continue into tagging and publishing even when its safeguards are too soft for a live release. It also still carries hardcoded release assumptions that can mis-target publish steps when the release path changes.

Describe the Refactoring / Review Task

Harden the release agent so live releases fail fast unless the repository is in a known-good state.

Scope:

• fail live releases when the worktree is dirty
• verify target branch, commit, and version alignment before mutation
• tighten duplicate tag and duplicate release preflight checks
• remove or reduce hardcoded branch assumptions where they can mis-target publishing

Use Case

Release maintainers and automation operators need a safe release command that cannot silently tag the wrong commit or continue through a stale local state.

Alternatives Considered

• Leave the current warnings in place and rely on workflow discipline
• Move all checks into the workflow only
• Require live confirmation plus stronger runtime guards

The safe default is to enforce hard failures in the agent and keep workflow gates as a second layer.

Additional Context

• Source pack: .github/projects/active/release-agent-hardening/
• Proposal spec: openspec-strict/children/01-1-task-release-agent-safety-gates.md

Example Code Snippets

Before: dirty tree logs a warning and the agent continues
After: dirty tree aborts the live release before tagging

Refactoring / Review Checklist

• Live release cannot proceed when the tree is dirty
• Live release cannot proceed when the version or branch state is invalid
• Remote duplicate tag/release checks are enforced
• Dry-run still works without side effects

Code Area(s) Impacted

• Backend
• Integrations
• Other: release agent and release safety flow

[linear-code]

LS-922