fix: address review findings — backward compat, ACP safety, result timing, security

- Fix 1: tasks_md_sync only sets MACP fields when columns exist in table headers
- Fix 2: ACP dispatch now escalates instead of falsely completing
- Fix 3: Removed premature collect_result() from dispatch_task()
- Fix 4: Yolo brief staged via temp file (0600) instead of process args
- Fix 5: cleanup_worktree validates path against configured worktree base

tools/orchestrator-matrix/controller/mosaic_orchestrator.py

@@ -225,6 +225,24 @@ def run_single_task(repo_root: pathlib.Path, orch_dir: pathlib.Path, config: dic
         rc, output, timed_out = run_shell(cmd, repo_root, log_path, timeout_sec)
 
     if rc != 0:
+        if is_macp_task(task) and str(task.get("status") or "") == "escalated":
+            task["failed_at"] = str(task.get("failed_at") or now_iso())
+            emit_event(
+                events_path,
+                "task.escalated",
+                task_id,
+                "escalated",
+                "controller",
+                str(task.get("escalation_reason") or task.get("error") or "Task requires human intervention."),
+            )
+            save_json(tasks_path, {"tasks": task_items})
+            state["running_task_id"] = None
+            state["updated_at"] = now_iso()
+            save_json(state_path, state)
+            macp_dispatcher.collect_result(task, rc, [], orch_dir)
+            if bool(config.get("macp", {}).get("cleanup_worktrees", True)):
+                macp_dispatcher.cleanup_worktree(task, config)
+            return True
         if not task.get("error"):
             task["error"] = f"Worker command timed out after {timeout_sec}s" if timed_out else f"Worker command failed with exit code {rc}"
         if attempt < max_attempts:
@@ -247,9 +265,10 @@ def run_single_task(repo_root: pathlib.Path, orch_dir: pathlib.Path, config: dic
         state["updated_at"] = now_iso()
         save_json(state_path, state)
         if is_macp_task(task):
-            macp_dispatcher.collect_result(task, rc, [], orch_dir)
-            if task["status"] == "failed" and bool(config.get("macp", {}).get("cleanup_worktrees", True)):
-                macp_dispatcher.cleanup_worktree(task)
+            if task["status"] == "failed":
+                macp_dispatcher.collect_result(task, rc, [], orch_dir)
+                if bool(config.get("macp", {}).get("cleanup_worktrees", True)):
+                    macp_dispatcher.cleanup_worktree(task, config)
         else:
             save_json(
                 results_dir / f"{task_id}.json",
@@ -269,7 +288,7 @@ def run_single_task(repo_root: pathlib.Path, orch_dir: pathlib.Path, config: dic
         save_json(state_path, state)
         macp_dispatcher.collect_result(task, rc, [], orch_dir)
         if bool(config.get("macp", {}).get("cleanup_worktrees", True)):
-            macp_dispatcher.cleanup_worktree(task)
+            macp_dispatcher.cleanup_worktree(task, config)
         return True
 
     task["status"] = "gated"
@@ -332,9 +351,10 @@ def run_single_task(repo_root: pathlib.Path, orch_dir: pathlib.Path, config: dic
     state["updated_at"] = now_iso()
     save_json(state_path, state)
     if is_macp_task(task):
-        macp_dispatcher.collect_result(task, rc, gate_results, orch_dir)
-        if task["status"] in {"completed", "escalated"} and bool(config.get("macp", {}).get("cleanup_worktrees", True)):
-            macp_dispatcher.cleanup_worktree(task)
+        if task["status"] in {"completed", "failed", "escalated"}:
+            macp_dispatcher.collect_result(task, rc, gate_results, orch_dir)
+            if bool(config.get("macp", {}).get("cleanup_worktrees", True)):
+                macp_dispatcher.cleanup_worktree(task, config)
     else:
         save_json(
             results_dir / f"{task_id}.json",