fix(orchestrator): parent-must-be-on-main guard in state check + loop tick (AISDLC-358)

[deefactorial]

Summary

Pattern-C contract enforcement: parent worktree MUST be on main. Detects parent on stale feature branch and either auto-recovers (clean tree) or refuses (dirty tree). Prevents the silent-stale-main class of incident encountered today.

Changes

• scripts/check-orchestrator-state.sh: pre-flight branch check via git symbolic-ref --short HEAD. Clean non-main → git checkout main && git reset --hard origin/main. Dirty non-main → refuse with explicit error naming branch + dirty paths + recovery command. Explicit error handling on checkout/reset failure (no silent 2>/dev/null swallowing).
• pipeline-cli/src/orchestrator/loop.ts: runParentBranchGuard() + ParentNotOnMainError called at top of every runOrchestratorTick(), before frontier scan. Exit-code check on git checkout main prevents false "auto-recovered" success log when checkout fails.
• Tests: 4 hermetic shell tests covering all 4 AC scenarios + 22 TS unit tests in loop.branch-guard.test.ts covering all 5 runParentBranchGuard branches + ParentNotOnMainError constructor truncation. parentBranchGuard: async () => {} no-op stub injected into all loop test adapters (removes accidental /tmp not a git repo dependency).
• CLAUDE.md: Pattern C "Hard guards" subsection documenting the enforcement.

Reviewer findings addressed

3 code/test reviewer subagents flagged 5 majors total; all addressed in commits 7d96da0 + 9f3fd04:

• Code Major 1 — silent shell checkout/reset failures with suppressed stderr → explicit error handling
• Code Major 2 — TS auto-recovery silent success log on checkout failure → exit-code check + throw
• Test Major 1 — runParentBranchGuard had zero TS unit tests → 22 new tests
• Test Major 2 — ParentNotOnMainError untested → constructor tests including truncation path
• Test Major 3 — existing loop tests didn't inject parentBranchGuard adapter → stubbed across 12 loop test files

Security reviewer: APPROVED clean (no exploitable surface; branch-name injection prevented by git's check-ref-format + execFile array-arg).

Test plan

• Pre-tick guard fires on cli-orchestrator tick when parent is on stale feature branch (clean → auto-recover)
• Guard refuses with clear error when parent is on stale branch + dirty tree
• No regression on parent-on-main happy path
• All 22 new unit tests + 4 new shell tests pass

🤖 Generated with Claude Code

[github-actions]

AI-SDLC: Reviewer Agents Skipped (Local Attestation Valid)

A valid DSSE attestation envelope was found at
.ai-sdlc/attestations/<HEAD-sha>.dsse.json for this commit. The 3 review
agents were already run locally via /ai-sdlc execute and the verdict was
cryptographically signed against:

• Per-file content hash (contentHashV3)
• Review policy hash
• Reviewer agent file hashes
• Plugin version

CI re-running the same 3 agents would produce the same verdict at the cost
of ~3 Anthropic API invocations. Per AISDLC-147 patch 1, we trust the local
attestation as a SOFT signal and skip the duplicate review.

Note: Attestation remains AUDIT-ONLY as a merge gate (per AISDLC-140 sub-4).
The re-actors/alls-green aggregator (ai-sdlc/pr-ready) is the single merge gate.

Posted by AI-SDLC Review Agents — AISDLC-147 attestation cost-saver

[github-actions]

Auto-approved by valid local DSSE attestation (AISDLC-147 patch 1).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

Auto-approved by valid local DSSE attestation (AISDLC-147 patch 1).

[github-actions]

Auto-approved by valid local DSSE attestation (AISDLC-147 patch 1).

[github-actions]

AI-SDLC: Reviewer Agents Skipped (Anthropic Budget Exhausted)

3/3 review agents failed with HTTP 400 invalid_request_error
("credit balance is too low"). The remaining agent(s) either succeeded or were
skipped by the AISDLC-141 conditional classifier. Since every reviewer that
DIDN'T succeed only failed due to budget, the noisy CHANGES_REQUESTED has been
suppressed.

What this means:

• This PR has been only partially reviewed by the automated agents.
• Branch protection still requires ai-sdlc/pr-ready (the rollup gate),
  but the Post Review Results status was posted as success so the gate
  does not deadlock.
• A human reviewer should manually validate this PR before merging,
  or top up the Anthropic API credit balance and push again to re-trigger.

Posted by AI-SDLC Review Agents — AISDLC-147 budget circuit breaker (AISDLC-157 broadened gate)

[github-actions]

Auto-approved by valid local DSSE attestation (AISDLC-147 patch 1).

[github-actions]

Auto-approved by valid local DSSE attestation (AISDLC-147 patch 1).

[github-actions]

Auto-approved by valid local DSSE attestation (AISDLC-147 patch 1).

[github-actions]

Auto-approved by valid local DSSE attestation (AISDLC-147 patch 1).

[github-actions]

Auto-approved by valid local DSSE attestation (AISDLC-147 patch 1).