Preserve branch-committed skills on worktree teardown (#59)

[stempeck]

Fixes #59. Implements the git-provenance solution selected in the #60 analysis (intended for the ultra-implement pass). PR #60 carries analysis only; this PR is the code fix.

Summary

cleanupMergedSkills (internal/worktree/worktree.go) decided what to delete by inferring provenance from a name collision with the live factory .claude/skills/ — it os.RemoveAll'd every worktree skill dir whose name matched a factory skill, with no record of whether the lifecycle merge-copied it or the branch committed it. So a branch-committed skill whose directory name collided with a factory skill was destroyed on teardown (reachable via af down, af down --reset, af sling --reset, formula completion, and GC()), surfacing as uncommitted D deletions and making the skill unloadable for the session. This was the 4th recurrence of the anti-pattern ADR-017 forbids.

Fix

Gate deletion on git provenance:

• A skill directory tracked in the worktree's git index is branch content → preserve.
• An untracked, factory-name-matching directory is a merge copy → remove.
• If the git invocation fails (git unavailable / not a repo), delete nothing (ADR-017 Rule 3: when in doubt, don't delete).

The change is localized to cleanupMergedSkills (plus a new trackedSkillDirs helper using git ls-files -z), so all teardown paths inherit it. It also resolves the latent ordering hazard: deleting a tracked dir before the non-force git worktree remove dirtied the tree and bricked teardown; preserving tracked dirs lets the remove succeed. No new imports.

Tests

• TestCleanupMergedSkills_PreservesBranchCommittedCollidingSkill — tracked colliding skill survives; untracked merge copy removed.
• TestCleanupMergedSkills_FailSafeWhenProvenanceUnknown — git failure ⇒ nothing deleted (deterministic via broken .git boundary).
• TestRemove_PreservesBranchCommittedCollidingSkill — end-to-end through the public non-force Remove path, reproducing the teardown-brick symptom against pre-fix code.
• Reworked TestCleanupMergedSkills_RemovesFactoryCopiedEntries to a real git repo with untracked merge copies.

All four new/changed tests confirmed to fail against pre-fix code and pass after. Full make test green; changed funcs at 93.8% / 100% coverage.

ultra-implement process

• Phase 1: parallel investigation, consensus 4/4 HIGH.
• Phase 2: TDD (Gherkin, RED→GREEN, rollback), code review APPROVED.
• Phase 3: blind review 8/10; clause-by-clause spec compliance. All 6 gates passed.

🤖 Generated with Claude Code

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

agentfactory seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}