Remediate fail-closed source and lifecycle/regress contracts

[davidahmann]

Problem

• scan --repo/--org could succeed without real GitHub acquisition and emit synthetic source data.
• Regress and lifecycle identity boundaries were inconsistent, allowing policy/meta findings to drive approval-tracked drift.
• Manual non-approved identity transitions could retain contradictory approval semantics.

Changes

• Enforced fail-closed acquisition for --repo/--org when --github-api/WRKR_GITHUB_API_BASE is missing.
• Removed synthetic org fallback generation from GitHub connector paths.
• Added shared core/model identity-bearing finding classifier and reused it in scan lifecycle and regress snapshot extraction.
• Added regress protections so policy/meta-only deltas do not trigger new_unapproved_tool drift.
• Normalized manual lifecycle transitions (review/deprecate/revoke) to never leave approval_status=valid.
• Added deterministic default transition reasons when --reason is omitted.
• Updated CLI/E2E/contract/acceptance coverage and synced command docs/examples.

Validation

• wrkr scan --path scenarios/wrkr/scan-mixed-org/repos --state .tmp/ship-readiness-state.json --json
• make prepush-full

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5ad7cedf7c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Clear approval metadata on non-approved transitions

ApplyManualState now forces approval_state to revoked for review/deprecate/revoke, but it leaves the existing Approval fields intact. On the next scan, Reconcile calls applyApprovalState, which recomputes approval from Approval.Expires and can flip that same identity back to approval_state=valid if the old approval is still unexpired (e.g., approve -> revoke -> scan). This reintroduces contradictory lifecycle semantics and can affect regress behavior because isApproved treats approval_status=valid as approved.

Useful? React with 👍 / 👎.