Add read-only context repositories

[chubes4]

Summary

• Adds canonical read-only context repository specs via datamachine_code_context_repositories, with aliases, refs, optional path allowlists, and machine-readable policy attestations.
• Allows read/list/search/status-style operations on context repos while rejecting write/edit/apply-patch/git mutation/publication operations with context_repository_read_only policy errors.
• Extends local workspace and GitHub-backed remote workspace paths so the target workspace remains the only writable/PR boundary.

Closes #617.

Tests

• homeboy --force-hot lint data-machine-code --path "/Users/chubes/Developer/data-machine-code@issue-617-readonly-context-repos" --changed-since c474155b0d23d7da42e6db11ee0304a954123b50
• php tests/smoke-workspace-context-repositories.php
• php tests/smoke-remote-workspace-backend.php
• php tests/smoke-workspace-policy-enforcement.php
• php tests/smoke-workspace-alias-tools.php
• php tests/smoke-tool-schemas.php
• php -l on all changed PHP files
• git diff --check

AI assistance

• AI assistance: Yes
• Tool(s): OpenCode (GPT-5.5)
• Used for: Drafting and implementing the context repository policy layer, smoke coverage, lint cleanup, and PR description; Chris remains responsible for review and merge.

[homeboy-ci]

Homeboy Results — data-machine-code

Lint

✅ lint — passed

ℹ️ Full options: homeboy docs commands/lint
ℹ️ Save lint baseline: homeboy lint data-machine-code --baseline
Deep dive: homeboy lint data-machine-code --changed-since c474155

Artifacts and drill-down

• CI results artifact: homeboy-ci-results-data-machine-code-lint-quality-Linux-node24 contains immediate command JSON for this action invocation.
• Observation artifact: homeboy-observations-data-machine-code-lint-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
• Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
• Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine-code/actions/runs/27301545037

Test

✅ test — passed

ℹ️ Auto-fix lint issues: homeboy refactor data-machine-code --from lint --write
ℹ️ Collect coverage: homeboy test data-machine-code --coverage
ℹ️ Save test baseline: homeboy test data-machine-code --baseline
ℹ️ Pass args to test runner: homeboy test -- [args]
ℹ️ Full options: homeboy docs commands/test
Deep dive: homeboy test data-machine-code --changed-since c474155

Artifacts and drill-down

• CI results artifact: homeboy-ci-results-data-machine-code-test-quality-Linux-node24 contains immediate command JSON for this action invocation.
• Observation artifact: homeboy-observations-data-machine-code-test-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
• Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
• Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine-code/actions/runs/27301545037

Audit

✅ audit — passed

• audit — 51 finding(s)
• Total: 51 finding(s)

Deep dive: homeboy audit data-machine-code --changed-since c474155

Artifacts and drill-down

• CI results artifact: homeboy-ci-results-data-machine-code-audit-quality-Linux-node24 contains immediate command JSON for this action invocation.
• Observation artifact: homeboy-observations-data-machine-code-audit-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
• Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
• Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine-code/actions/runs/27301545037

Tooling versions

• Homeboy CLI: homeboy 0.228.2+b2ce746
• Extension: wordpress from https://github.com/Extra-Chill/homeboy-extensions
• Extension revision: 8758c05d
• Action: unknown@unknown