Harden tool approval contracts

[chubes4]

Summary

• Fail closed when a tool resolves to staged approval without required pending-action metadata instead of warning and executing directly.
• Remove automatic ambient runtime parameter binding from ToolExecutor so context values only satisfy tool parameters through explicit client_context_bindings.
• Preserve pipeline handler-tool job context with a narrow, auditable job_id binding at handler-tool resolution.

Closes #2408.
Closes #2409.

Testing

• php tests/tool-executor-ability-native-smoke.php
• vendor/bin/phpcs inc/Engine/AI/Tools/ToolExecutor.php inc/Engine/AI/Tools/ToolManager.php tests/tool-executor-ability-native-smoke.php
• homeboy test --path /Users/chubes/Developer/data-machine@fix-tool-contract-hardening --extension wordpress -- --filter=PipelineExecutionContractTest
• homeboy lint --path /Users/chubes/Developer/data-machine@fix-tool-contract-hardening --extension wordpress --changed-only

Notes

• Full homeboy lint --path /Users/chubes/Developer/data-machine@fix-tool-contract-hardening --extension wordpress currently reports two findings in untouched files: inc/Core/FilesRepository/MediaValidator.php:336 (finfo_close() deprecated) and inc/Engine/AI/ConversationManager.php:365 (Yoda condition). Changed-file lint passes.

AI assistance

• AI assistance: Yes
• Tool(s): OpenCode (GPT-5.5)
• Used for: Drafted the implementation and focused test updates; Chris remains responsible for review and merge.

[homeboy-ci]

Homeboy Results — data-machine

Lint

✅ lint — passed

ℹ️ Full options: homeboy docs commands/lint
Deep dive: homeboy lint data-machine --changed-since 424a39a

Artifacts and drill-down

• CI results artifact: homeboy-ci-results-data-machine-lint-quality-Linux-node24 contains immediate command JSON for this action invocation.
• Observation artifact: homeboy-observations-data-machine-lint-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
• Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
• Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine/actions/runs/26714842337

Test

✅ test — passed

• 115 passed
• 3 skipped

ℹ️ Auto-fix lint issues: homeboy refactor data-machine --from lint --write
ℹ️ Collect coverage: homeboy test data-machine --coverage
ℹ️ Save test baseline: homeboy test data-machine --baseline
ℹ️ Pass args to test runner: homeboy test -- [args]
ℹ️ Full options: homeboy docs commands/test
Deep dive: homeboy test data-machine --changed-since 424a39a

Artifacts and drill-down

• CI results artifact: homeboy-ci-results-data-machine-test-quality-Linux-node24 contains immediate command JSON for this action invocation.
• Observation artifact: homeboy-observations-data-machine-test-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
• Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
• Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine/actions/runs/26714842337

Audit

✅ audit — passed

• audit — 59 finding(s)
• Total: 59 finding(s)

Deep dive: homeboy audit data-machine --changed-since 424a39a

Artifacts and drill-down

• CI results artifact: homeboy-ci-results-data-machine-audit-quality-Linux-node24 contains immediate command JSON for this action invocation.
• Observation artifact: homeboy-observations-data-machine-audit-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
• Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
• Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine/actions/runs/26714842337

Tooling versions

• Homeboy CLI: homeboy 0.213.4+af79f7fc
• Extension: wordpress from https://github.com/Extra-Chill/homeboy-extensions
• Extension revision: 06cc67ae
• Action: unknown@unknown