feat: implement issue #444 built-in review integrity + merge guard

[harsh-batheja]

Summary

• Implements core review-integrity domain + append-only resolution records, including policy evaluators for integrity and merge guard in @composio/ao-core.
• Adds end-to-end API flow for thread snapshots and resolution lifecycle: propose, verify, apply (/api/prs/[id]/review-threads, /review-resolutions, /review-resolutions/verify, /review-resolutions/apply).
• Extends merge enforcement in POST /api/prs/[id]/merge to hard-block with structured guard blockers and publishes review-integrity + ao/merge-guard check runs (with commit-status fallback).
• Extends GitHub SCM adapter with review-thread snapshots, PR head SHA lookup, and thread-resolution mutation.

Validation

• corepack pnpm --filter @composio/ao-core test -- review-integrity.test.ts
• corepack pnpm --filter @composio/ao-core typecheck
• corepack pnpm --filter @composio/ao-plugin-scm-github test -- index.test.ts
• corepack pnpm --filter @composio/ao-plugin-scm-github typecheck
• corepack pnpm --filter @composio/ao-web test -- api-routes.test.ts
• corepack pnpm --filter @composio/ao-web typecheck

Progress vs Issue #444

• Done: default enforce-mode integrity evaluation in merge path, machine-readable 422 blockers, and review resolution API lifecycle.
• Done: required check names integrated in guard logic (review-integrity, ao/merge-guard) and check publication support in SCM GitHub plugin.
• Done: drift protection for new commits at verify/apply and merge evaluation points.

Known Blockers / Follow-ups

• Review-activity drift invalidation currently checks commit drift and thread existence, but not full per-thread content/version drift semantics for new review comments.
• Check-run state is guaranteed on merge attempts and resolution lifecycle calls; a dedicated background refresh loop is still needed for always-on parity with live PR state changes.
• GitHub thread fetch currently reads first 100 threads per query (pagination follow-up needed for very large PRs).

Notes

• This PR now contains feature implementation (not docs-only).

[harsh-batheja]

Progress update: implemented issue #444 feature delivery (core review-integrity domain, API propose/verify/apply flow, merge guard enforcement, GitHub SCM thread/check integrations), pushed commit 95b96d2, and updated PR description with validation details.\n\nCurrent blockers/follow-ups tracked in PR body:\n- full review-activity drift semantics (comment/version drift),\n- always-on background check-run refresh loop,\n- review thread pagination beyond first 100 threads.

[harsh-batheja]

Follow-up: fixed the Bugbot-reported duplicate blocker issue in packages/web/src/lib/review-integrity.ts, pushed 88f6668, and reran the flaky Integration Tests workflow after confirming the failure was an external Linear API timeout in packages/integration-tests/src/tracker-linear.integration.test.ts. PR #446 is now green and mergeable.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}