Production runner: harden live GitHub transport policy

[MrFlashAccount]

Goal

Harden the live GitHub transport policy for production use: remote PR creation/update, comments, statuses, and any external write must be gated by explicit config/approval, repo allowlists, idempotency, audit evidence, and safe defaults.

Dependencies

• Depends on the operator control plane in Production runner: add operator control plane #19 for safety/audit policy and approval visibility.
• Runs after the production runner has durable PASS evidence for the current epoch; it must not become the source of truth.

Current state / evidence

• docs/github-projection-contract.md says default handoff_ready uses local_fake; live GitHub CLI transport is available only when explicitly enabled with repo allowlist, exact stack branches, idempotency keys, and PASS gate evidence.
• The same doc forbids deriving state from provider comments, moving work to Done, merging a review target, or expanding scope from remote comments.
• README.md notes handoff transport is disabled by default and records local projection intent before remote writes.
• Tests already exercise some SCM handoff contract/projection behavior, but production operator policy needs a concrete end-to-end safe-mode surface.

Scope

• Define and enforce safe-mode config that defaults to no remote writes.
• Require repo allowlist match, exact remote/branch binding, current-epoch verification PASS, internal-review PASS, recorded projection intent, and required operator approval before external writes.
• Cover PR create/update, compact review comment/update, status/label/project mutation policy with explicit allow/deny decisions and structured blockers.
• Record audit/idempotency evidence for each attempted external write.
• Mock gh/GitHub client behavior in tests; avoid real network writes in CI.

Acceptance criteria

• Live GitHub transport is disabled by default and cannot perform remote writes unless explicitly enabled and approved under policy.
• Remote writes require repo allowlist match, exact remote/branch binding, current-epoch verification PASS, internal-review PASS, recorded projection intent, and approval evidence where configured.
• PR create/update, comment/update, status/label/project mutations each have clear allow/deny policy and structured blockers when disabled.
• No force push, merge, branch deletion, Done movement, or scope expansion is possible through this transport path.
• Idempotency prevents duplicate comments/PRs where GitHub allows it; unavoidable duplicates are auditable in local projection logs.
• Auth/timeout/API failures block safely and do not advance local state as if the remote write succeeded.
• Tests cover disabled transport, non-allowlisted repo, remote mismatch, missing PASS gates, missing approval, duplicate retry, auth/timeout blocker, and successful PR create/update using a mocked gh client.

Non-goals

• No auto-merge.
• No GitHub-only state source of truth.
• No force-push or destructive remote mutation.
• No support for every GitHub project/status surface in the first slice; start with the minimum production handoff surface.

Planning notes / questions

• Decide whether approval is per run, per transport invocation, or config-level plus run-level.
• First supported remote mutations can be PR open/update and one compact review comment.
• Keep provider-neutral core clean; GitHub remains an integration/profile.

Suggested labels

• enhancement