M2: LockfileOperations.swift (174 lines) has zero test coverage #101
Description
Severity: MEDIUM
Contains SHA validation regex that prevents flag injection into `git checkout`. The `Lockfile` model is tested but the operations that use lockfiles are not. Must-test: SHA regex edge cases, missing lockfile behavior, partial failures.