[Validation]: Auth and secret suitability gate should escalate before branch mutation

[zhyongrui]

Summary
Validate that openclaw code run stops before branch mutation when an issue explicitly touches authentication, secret handling, and permission checks.

Expected behavior
The workflow should record a suitability assessment, move to escalated, and stop before preparing a worktree or opening a pull request.

Why this exists
This is a repository-local validation issue for the suitability gate rollout. It should not implement auth or secret changes.