fix(tui): preserve standing YOLO authority for runtime continuations

[Hmbown]

Refs #3800.

Problem

A YOLO session can still prompt for force-push / PR-create approval when the action comes from a runtime continuation or sub-agent handoff. The session already had standing YOLO authority, but effective_input_policy stripped mode = Yolo, trust_mode, auto_approve, and auto/bypass approval for every provenance except ExternalUser.

Change

• Let Runtime and SubAgentHandoff inherit standing auto-approval authority inside effective_input_policy.
• Keep UserInputProvenance::can_authorize_work() strict for other authorization callers.
• Keep the downgrade guard for injection-prone provenance: ImportedTranscript, MemoryRecall, and AssistantGenerated still continue with approvals required if they would otherwise inherit automatic authority.
• Do not invent authority for non-YOLO/non-auto sessions.

Verification

• cargo fmt
• cargo test -p codewhale-tui --bin codewhale-tui --locked provenance_gate
• git diff --check

The new tests cover all six UserInputProvenance variants under both a YOLO session and a non-YOLO session.

[claude]

Claude finished @Hmbown's task in 2m 20s —— View job

---

PR Review: fix(tui): preserve standing YOLO authority for runtime continuations

• Gather context and read changed files
• Review engine.rs changes
• Review engine/tests.rs changes
• Summarize findings

---

Summary

The logic is sound: introducing provenance_can_inherit_standing_auto_authority as a named helper is cleaner than the old !provenance.can_authorize_work() inline, and the invariant — injection-prone provenances (ImportedTranscript, MemoryRecall, AssistantGenerated) still downgrade even in YOLO sessions — is correctly preserved. A few things worth addressing:

---

Findings

1. Input authority metadata is now misleading for Runtime / SubAgentHandoff (engine.rs:1986)

can_authorize_work() was not updated and still returns true only for ExternalUser. The model's context block therefore reports Input authority: non_authoritative for Runtime and SubAgentHandoff inputs, even when the effective policy now grants them full YOLO authority. If the model reasons about this field to decide whether to proceed autonomously, the mismatch works against the feature.

// engine.rs:1986 — still uses can_authorize_work(), not provenance_can_inherit_standing_auto_authority
format!(
    "Input authority: {}",
    if provenance.can_authorize_work() {
        "external_current_turn"
    } else {
        "non_authoritative"   // ← Runtime/SubAgentHandoff in YOLO land here
    }
),

Either update this block to expose three tiers (external_current_turn / inherited_standing_authority / non_authoritative), or at minimum add a comment explaining the intentional divergence between source provenance and effective authority. Fix this →

---

2. Test gap: Agent-mode trust_mode inheritance isn't covered

provenance_gate_never_invents_auto_authority_for_non_yolo_sessions passes trust_mode: false, auto_approve: false. It verifies that inheritance doesn't create authority, which is correct. But it misses the real behavior change for non-YOLO sessions: before this PR, a Runtime input in an AppMode::Agent session with trust_mode: true would have trust_mode stripped; after this PR, it's preserved. That's an observable change in behavior with no test.

Suggested case to add:

// Runtime in Agent mode keeps standing trust_mode
let policy = effective_input_policy(
    UserInputProvenance::Runtime,
    AppMode::Agent,
    "continue",
    true,  // allow_shell
    true,  // trust_mode — standing flag
    false, // auto_approve
    crate::tui::approval::ApprovalMode::Suggest,
);
assert_eq!(policy.mode, AppMode::Agent);
assert!(policy.trust_mode);  // inherited, not invented
assert!(policy.status.is_none());

Fix this →

---

3. Minor: ApprovalMode::Bypass not exercised in the new gate test

The downgrade path explicitly checks ApprovalMode::Bypass alongside Auto. The new test only passes ApprovalMode::Auto, so the Bypass → Suggest downgrade for injection-prone provenances isn't covered. Low-stakes but easy to add a second iteration of the test with Bypass.

---

What's good

• Helper name provenance_can_inherit_standing_auto_authority clearly states intent; reading the callsite is now self-documenting.
• can_authorize_work() left strict — correct, since that method still guards separate authorization callers at line 1986 and elsewhere.
• Combined test loops over all 6 variants with per-variant failure labels — much easier to debug than the old separate tests.
• "Never invents authority" test is the right invariant to nail down.

---