Guard attach against cross-worktree sessions

[peyton-alt]

https://entire.io/gh/entireio/cli/trails/596

Summary

• Refuse entire session attach when an existing tracked session belongs to another worktree.
• Compare stored WorktreeID first so git worktree move remains attachable; fall back to normalized WorktreePath for legacy state.
• Add --allow-cross-worktree for explicit override on session attach and review attach.
• Add unit and integration coverage for wrong-worktree refusal, moved-worktree attach, and explicit override.

Validation

• GOCACHE=/private/tmp/entire-go-cache go test ./cmd/entire/cli -run 'TestAttach_' -count=1
• GOCACHE=/private/tmp/entire-go-cache go test -tags=integration ./cmd/entire/cli/integration_test -run 'TestAttach_(RefusesTrackedSessionFromDifferentWorktree|AllowsTrackedSessionAfterWorktreeMove)' -count=1
• GOCACHE=/private/tmp/entire-go-cache go test -tags=integration ./cmd/entire/cli/integration_test -run 'TestAttach_' -count=1
• GOCACHE=/private/tmp/entire-go-cache go test ./cmd/entire/cli -run 'Test(Attach|ReviewAttach)_' -count=1
• mise run lint
• mise run check

Notes

• --force still only skips amend confirmation. It does not bypass the worktree identity guard.
• Rebased on current main at e3fc6f88c.
• Latest commit: 41dbf9bef8c6e509781cd365750efef8c4aaeaa6 with Entire-Checkpoint: c8a3d493b515.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 093d1ca. Configure here.}

[Copilot]

Pull request overview

This PR adds a safety guard to prevent entire session attach (and entire review attach) from attaching/amending in the wrong git worktree when a tracked session’s state indicates it belongs to a different worktree, with an explicit --allow-cross-worktree escape hatch. This reduces the chance of accidentally amending the “wrong” HEAD in multi-worktree setups.

Changes:

• Add --allow-cross-worktree to both session attach and review attach, and plumb it into attachOptions.
• Add attach-time worktree validation (validateAttachWorktree) before any checkpoint write/amend.
• Add unit + integration tests covering refusal behavior and explicit override behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
cmd/entire/cli/attach.go	Adds AllowCrossWorktree flag plumbing and a worktree mismatch guard before attach proceeds.
cmd/entire/cli/review_helpers.go	Exposes --allow-cross-worktree on entire review attach and forwards it into attach options.
cmd/entire/cli/attach_test.go	Adds unit coverage for refusing cross-worktree attach and for the explicit override.
cmd/entire/cli/integration_test/attach_test.go	Adds integration coverage to ensure wrong-worktree attach refusal does not amend the wrong HEAD or add trailers.