fix(#411): complete 2026-02-17 remediation sweep

Apply RLS context at task service boundaries, harden orchestrator/web integration and session startup behavior, re-enable targeted frontend tests, and lock vulnerable transitive dependencies so QA and security gates pass cleanly.

scripts/agent/session-start.sh

@@ -9,8 +9,35 @@ ensure_repo_root
 load_repo_hooks
 
 if git rev-parse --is-inside-work-tree >/dev/null 2>&1 && has_remote; then
+  current_branch="$(git rev-parse --abbrev-ref HEAD)"
+  upstream_ref="$(git rev-parse --abbrev-ref --symbolic-full-name "@{upstream}" 2>/dev/null || true)"
+
+  if [[ -n "$upstream_ref" ]] && ! git show-ref --verify --quiet "refs/remotes/$upstream_ref"; then
+    echo "[agent-framework] Upstream ref '$upstream_ref' is missing; attempting to self-heal branch tracking"
+
+    fallback_upstream=""
+    if git show-ref --verify --quiet "refs/remotes/origin/develop"; then
+      fallback_upstream="origin/develop"
+    elif git show-ref --verify --quiet "refs/remotes/origin/main"; then
+      fallback_upstream="origin/main"
+    fi
+
+    if [[ -n "$fallback_upstream" ]] && [[ "$current_branch" != "HEAD" ]]; then
+      git branch --set-upstream-to="$fallback_upstream" "$current_branch" >/dev/null
+      upstream_ref="$fallback_upstream"
+      echo "[agent-framework] Set upstream for '$current_branch' to '$fallback_upstream'"
+    else
+      echo "[agent-framework] No fallback upstream found; skipping pull"
+      upstream_ref=""
+    fi
+  fi
+
   if git diff --quiet && git diff --cached --quiet; then
-    run_step "Pull latest changes" git pull --rebase
+    if [[ -n "$upstream_ref" ]]; then
+      run_step "Pull latest changes" git pull --rebase
+    else
+      echo "[agent-framework] Skip pull: no valid upstream configured"
+    fi
   else
     echo "[agent-framework] Skip pull: working tree has local changes"
   fi