Retire schema guard from package workspace contract (#148)

[fitz123]

Summary

Stacked on #151 / issue-148-package-cli-workspace-contract.

This follow-up completes the corrected #148 architecture:

• treats --workspace as the control/app workspace;
• allows absolute agents.*.workspaceCwd outside the control workspace;
• retires schema/write-guard package contract (schema.md, MINIME_SCHEMA_PATH, Pi guard extension, Claude guard hooks);
• keeps Telegram/Discord/Tavily as control-workspace/global secrets;
• passes non-secret control path refs to Pi parent/cron/subagent children;
• keeps Tavily on dedicated control-root config/secrets.sops.yaml + tavily.api_key;
• adds deterministic schema/guard contract removal check and private cleanup artifact.

Validation

Ralphex reported:

• git diff --check
• npm run typecheck
• npm run check:schema-guard-contract
• npm run validate-config
• npm test — 1434 pass, 0 fail
• npm run build
• npm run workspace:validate -- --workspace ./test-fixtures/minimal-workspace
• npm pack --dry-run

After syncing the final #151 base commit into this branch, I re-ran:

• git diff --check
• cd bot && npm run check:schema-guard-contract
• cd bot && npm run typecheck
• cd bot && npm run validate-config
• cd bot && npm test — 1434 pass, 0 fail
• cd bot && npm run build
• cd bot && npm run workspace:validate -- --workspace ./test-fixtures/minimal-workspace
• cd bot && npm pack --dry-run

Notes

• This is a replacement stacked PR after Retire schema guard from package workspace contract (#148) #152 was accidentally marked merged while the base branch was briefly advanced; the base branch has been restored to Prepare package CLI and workspace contract #151 head.
• Do not merge before Prepare package CLI and workspace contract #151 settles/merges.
• Do not merge without explicit Ninja approval.

[fitz123]

@copilot please re-review — fixes pushed since the last review

[fitz123]

@copilot please re-review — fixes pushed since the last review

[fitz123]

@copilot please review this pull request for correctness and security.

[Copilot]

@copilot please re-review — fixes pushed since the last review

Addressed one follow-up issue in 4049c3e: Pi child env propagation now passes explicit control config/crons overrides as resolved absolute paths, with parent and subagent tests updated and revalidated.

[Copilot]

@copilot please review this pull request for correctness and security.

Reviewed the stacked diff for correctness and security and didn’t find any blocking issues. I also re-ran the relevant bot validations locally after installing dependencies: npm run typecheck, node --experimental-test-module-mocks --import tsx --test src/__tests__/pi-rpc-protocol.test.ts, npm run check:schema-guard-contract, npm run validate-config, and npm run workspace:validate -- --workspace ./test-fixtures/minimal-workspace all passed.

[fitz123]

@copilot please re-review — fixes pushed since the last review

[fitz123]

@copilot please re-review — fixes pushed since the last review

[Copilot]

@copilot please re-review — fixes pushed since the last review

Re-reviewed the latest follow-up around be3f263. The updated assertions now match the implementation in buildPiSpawnEnv() / buildPiSubagentChildSpawnEnv(), which resolves explicit MINIME_CONFIG_PATH and MINIME_CRONS_PATH overrides to absolute control-workspace paths before passing them to Pi children. Revalidated with cd bot && npm run typecheck, cd bot && node --experimental-test-module-mocks --import tsx --test src/__tests__/pi-rpc-protocol.test.ts, and cd bot && npm run check:schema-guard-contract; I didn’t find any new blocking correctness or security issues in the latest fix.