feat(workspace): clone-based Workspace adapter

[harshitsinghbhandari]

Closes #aa-25

Summary

Adds backend/internal/adapters/workspace/clone/ alongside the existing gitworktree adapter. Same ports.Workspace surface — no new port methods. Per session, this adapter does a full git clone into <managedRoot>/<project>/<session> instead of registering a worktree.

clone vs worktree

Aspect	gitworktree	clone (this PR)
Isolation	Shared .git/; worktree register on the source	Independent .git/ per session
Disk cost	Cheap — checkout + porcelain pointer	Full object DB per clone
Source coupling	Pruning the source repo breaks every worktree	Source can be repacked/pruned without effect on existing clones
Concurrent Create from same source	Contends on source's worktrees/ registry	None — each dest has its own .git/index.lock; source's pack files are read-only
Removal safety	git worktree remove (no --force) + post-prune still-registered guard	git status --porcelain dirty check + os.RemoveAll (no --force ever, no escape hatch)
When to pick	Single-host, many short-lived sessions on the same disk	Detached environments, cross-host sync, or any case where the source repo's state shouldn't constrain a session's lifetime

Design notes ported from the upstream TS reference

• Per-session directory layout <managedRoot>/<projectID>/<sessionID> (same shape as gitworktree).
• checkout -b <branch> with fallback to plain checkout <branch> when the branch already exists (mirrors upstream's branch-collision fallback).
• Skip corrupt clones in List rather than failing the whole call.

Upstream ideas NOT ported (and why)

• git clone --reference <source> — concurrent clones from the same source would alias each other's object DB and create a coupled failure mode if the source were repacked/pruned. The task's hard requirement for race-free concurrent clones rules this out.
• recordActivityEvent telemetry (branch_collision, corrupt_clone_skipped) — would require a new outbound port; explicitly out of scope per the task ("No new port methods").
• postCreate lifecycle hook — not part of ports.Workspace; same reasoning.
• getShell() / Windows shell abstraction — task scope is macOS/Linux only.
• exists() method on the adapter — not in the Go port; Restore folds the existence check inline.
• ~ home-directory expansion — left to the RepoResolver caller, where path conventions belong.

Hard requirements met

1. ✅ Same ports.Workspace interface, asserted by var _ ports.Workspace = (*Workspace)(nil).
2. ✅ Programmable commandRunner (same pattern as gitworktree); all 39 unit tests use it — no real git is invoked.
3. ✅ Path-escape protection: validatePathComponent rejects ids with separators / . / ..; validateManagedPath resolves symlinks (physicalAbs) before checking containment. Mirrors PR fix: address LCM/SM review blockers R1, RA, R11, RB #23's RB fix. Tested for .., absolute-outside-root, symlink ladder, empty, and relative paths.
4. ✅ Never passes --force. Destroy refuses if git status --porcelain is non-empty; no Force field exists on the adapter or the port. TestCommandArgsNeverUseForce is a belt-and-braces guard that pins this for every arg builder. Mirrors PR fix: address LCM/SM review blockers R1, RA, R11, RB #23's RA fix.
5. ✅ Bare/non-bare source — plain git clone <source> <dest> works against both transparently; documented in package doc.
6. ✅ Concurrency: no shared lock between two clones from the same source — documented model in the package doc.

Test plan

• go build ./... clean
• go test ./... — 289 passed in 14 packages (39 new tests in the clone package, full suite still green)
• All clone tests run via the programmable exec runner; no real git binary invoked
• Path-escape attempts (.., absolute outside root, symlink ladder, empty, relative) all rejected with ErrUnsafePath
• Dirty workspace refused by Destroy with ErrDirtyWorkspace; directory preserved
• Mismatched origin on Restore returns ErrOriginMismatch
• TestCommandArgsNeverUseForce regression guard

🤖 Generated with Claude Code