feat: add supervised collaboration request path

[mhseo93]

Summary

Adds a server-validated collaboration_request path for supervised agent collaboration so agents do not use raw mention://agent/... handoff links.

This PR is intentionally kept as a draft stacked PR because the branch currently includes dependencies that are not all merged into main yet:

• Depends on feat: harden operator-controlled agent commands #1985 (MHS-18: harden operator-controlled agent commands)
• Includes MHS-20: supervised collaboration policy foundation
• Adds MHS-21: collaboration request data/API/controller/CLI path
• Adds MHS-22: DB-backed handler/router integration coverage for the collaboration request path

What changed

• Adds collaboration_request migration/query/generated model support.
• Adds issue-scoped API endpoints:
  • POST /api/issues/{id}/collaboration-requests
  • GET /api/issues/{id}/collaboration-requests
• Adds CLI surface:
  • multica issue collaboration-request create <issue-id> --to <agent> --purpose <text>
  • multica issue collaboration-request list <issue-id>
• Updates supervised collaboration runtime guidance to route agents through the audited CLI/API path instead of raw agent mentions.
• Hardens server-side request validation:
  • source actor must be an agent
  • active same-issue source task context required via X-Task-ID
  • source/target policies must allow audited same-issue supervised collaboration
  • raw/bare mention://agent is blocked in request purpose/comments
  • self-handoff, direct reverse cycles, and duplicate active same-direction requests are blocked
  • max turns, TTL, and depth are policy-bounded
  • collaboration target task comments are constrained to the originating issue/workspace
• Adds CLI, policy/prompt, handler, and router regression tests.

Validation

Local non-DB validation:

go run github.com/sqlc-dev/sqlc/cmd/sqlc@v1.30.0 compile
go run github.com/sqlc-dev/sqlc/cmd/sqlc@v1.30.0 diff
go test ./cmd/multica ./internal/daemon/execenv ./internal/agentpolicy ./pkg/db/generated -count=1
go test -c ./internal/handler -o /tmp/multica-handler-mhs22b.test
go test -c ./cmd/server -o /tmp/multica-server-mhs22b.test
# compile-only loop across all Go packages: 26 packages compiled
git diff --check

Disposable local DB validation was also completed for the new collaboration_request migration and integration tests:

DATABASE_URL='[LOCAL_DISPOSABLE_DB_URL_NO_PASSWORD]' go run ./cmd/migrate up

DATABASE_URL='[LOCAL_DISPOSABLE_DB_URL_NO_PASSWORD]' \
  go test ./internal/handler \
  -run 'TestCreateCollaborationRequest|TestCollaborationTargetTaskCommentScope' \
  -count=1 -v

DATABASE_URL='[LOCAL_DISPOSABLE_DB_URL_NO_PASSWORD]' \
  go test ./cmd/server \
  -run 'TestCollaborationRequestRoutes' \
  -count=1 -v

Result:

PASS internal/handler
PASS cmd/server
PASS / compiled packages: 26

The disposable DB used a local pgvector/pgvector:pg17 Postgres-compatible container and was stopped/removed after validation. No prod/runtime/daemon/shared DB/Cloud Agent action was performed.

Not included / follow-up

• No prod/runtime activation.
• No daemon restart/stop.
• No shared/prod DB migration apply or direct DB write.
• No Cloud Agent rerun.
• No upstream merge.
• Request/comment/task/activity creation is not fully transactional yet.
• Collaboration request lifecycle transitions (completed, cancelled, expired) are not implemented yet.
• List endpoint pagination is not implemented yet.

Review notes

Please review this as the implementation path for replacing raw agent handoff links with an audited, policy-controlled collaboration_request primitive. Because this branch is stacked, the cleanest review order is:

1. feat: harden operator-controlled agent commands #1985 first
2. MHS-20 supervised collaboration policy foundation
3. MHS-21 collaboration request controller path
4. MHS-22 DB-backed integration test coverage

[vercel]

Someone is attempting to deploy a commit to the IndexLabs Team on Vercel.

A member of the Team first needs to authorize it.