Gate terminal lifecycle transitions with a coordinator

[vorporeal]

Description

Stack PR 5/8; depends on #12855.

Context

Centralizing mutations makes recovery implementable, but it does not by itself prevent invalid evidence from reaching those mutations. Lifecycle hooks still need one authority that understands the current phase, compares incoming evidence with live block state, and decides whether to apply, coalesce, reject, or eventually recover a transition. Command starts must pass through the same authority because accepting a duplicate or invalid start can also set controller state and write bytes to the PTY.

Approach

This PR introduces a private BlockLifecycleCoordinator with an exhaustive, pure transition planner over lifecycle phase, live snapshot, and incoming input. TerminalModel gathers the evidence, asks the coordinator for an action, applies that action through the centralized pipeline from #12855, and only then commits the next phase. Local, shared-session, bootstrap, and in-band start intents are routed through the same gate before model mutation or PTY writes.

Several safety rules apply unconditionally: duplicate or colliding completion identities are rejected, unsafe prompt-only evidence cannot reach mutation paths, repeated starts coalesce, and starts while already executing are rejected before bytes are written. The PR also adds structured, non-UGC, rate-limited diagnostics and introduces TerminalLifecycleRecovery disabled by default. Transitions that would require state-mutating recovery remain ignored while that flag is off.

Review guidance

• Is every lifecycle hook and command-start entry point gated before it can mutate model/controller state or write PTY bytes?
• Is the transition planner exhaustive, and does it reconcile stale coordinator state against the live snapshot conservatively?
• Are unconditional safety rules independent of the recovery flag, while state-mutating recovery remains disabled?
• Are diagnostics sufficiently useful, rate-limited, and free of user-generated content?

Testing

• Added exhaustive transition-matrix and phase-reconciliation coverage.
• Added telemetry allowlist/rate-limit, controller write-gating, shared-session, and normal-flow parity coverage.
• Final-stack validation: cargo check -p warp --tests, ./script/format, and git diff --check.

[vorporeal]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Enable terminal lifecycle recovery in dogfood #12859
• Recover missing CommandFinished hooks from Precmd completion metadata #12858
• Safely reconcile repeated and prompt-only Precmd hooks #12857
• Gate terminal lifecycle transitions with a coordinator #12856 👈 (View in Graphite)
• Centralize terminal lifecycle mutations #12855
• Distinguish Precmd hooks with completion metadata from prompt-only hooks #12854
• Add command completion metadata to Precmd #12853
• Document terminal block lifecycle hardening design #12852
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.