Separate safe primary refresh from dangerous mutations

[chubes4]

Summary

• Add explicit allow_primary_refresh for safe primary git pull --ff-only refreshes.
• Add explicit allow_dangerous_primary_mutation for primary commit/push/reset/rebase/pr-rebase operations, so the generic mutation flag no longer unlocks dangerous primary writes.
• Guard stale/diverged/detached/no-upstream primary reads by default with allow_stale_primary opt-in for read/list/grep.
• Document the safer primary mirror architecture direction.

Fixes #716.
Fixes #717.
Fixes #718.

Testing

• php -l inc/Workspace/WorkspaceCoreUtilities.php
• php -l inc/Workspace/WorkspaceReader.php
• php -l inc/Workspace/WorkspaceGitOperations.php
• php -l inc/Abilities/WorkspaceAbilities.php
• php -l inc/Tools/WorkspaceTools.php
• php -l inc/Cli/Commands/WorkspaceCommand.php
• php -l inc/Runtime/AgentsMdSections.php
• php tests/smoke-workspace-clone-ux.php
• php tests/smoke-workspace-apply-patch.php
• git diff --check

AI assistance

• AI assistance: Yes
• Tool(s): OpenCode (GPT-5.5)
• Used for: Investigated primary workspace safety issues, drafted implementation and architecture doc, and ran local verification commands. Chris retains responsibility for review and merge.

[homeboy-ci]

Homeboy Results — data-machine-code

Lint

✅ lint — passed

ℹ️ Full options: homeboy docs commands/lint
ℹ️ Save lint baseline: homeboy lint data-machine-code --baseline
Deep dive: homeboy lint data-machine-code --changed-since f5b51fb

Artifacts and drill-down

• CI results artifact: homeboy-ci-results-data-machine-code-lint-quality-Linux-node24 contains immediate command JSON for this action invocation.
• Observation artifact: homeboy-observations-data-machine-code-lint-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
• Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
• Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine-code/actions/runs/27552905063

Test

✅ test — passed

ℹ️ Auto-fix lint issues: homeboy refactor data-machine-code --from lint --write
ℹ️ Collect coverage: homeboy test data-machine-code --coverage
ℹ️ Save test baseline: homeboy test data-machine-code --baseline
ℹ️ Pass args to test runner: homeboy test -- [args]
ℹ️ Full options: homeboy docs commands/test
Deep dive: homeboy test data-machine-code --changed-since f5b51fb

Artifacts and drill-down

• CI results artifact: homeboy-ci-results-data-machine-code-test-quality-Linux-node24 contains immediate command JSON for this action invocation.
• Observation artifact: homeboy-observations-data-machine-code-test-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
• Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
• Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine-code/actions/runs/27552905063

Audit

✅ audit — passed

• audit — 39 finding(s)
• Total: 39 finding(s)

Deep dive: homeboy audit data-machine-code --changed-since f5b51fb

Artifacts and drill-down

• CI results artifact: homeboy-ci-results-data-machine-code-audit-quality-Linux-node24 contains immediate command JSON for this action invocation.
• Observation artifact: homeboy-observations-data-machine-code-audit-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
• Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
• Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine-code/actions/runs/27552905063

Tooling versions

• Homeboy CLI: homeboy 0.229.11+abd7565
• Extension: wordpress from https://github.com/Extra-Chill/homeboy-extensions
• Extension revision: 5d8548d8
• Action: unknown@unknown