fix: TASK-357 — TASK-322 Wave 4 lows (10 findings) + transcription tests

[alekspetrov]

Context

Closes the final tranche of the TASK-322 security/code audit — the 13 deferred low-severity findings (Wave 4). All were re-verified against main (ab15125) before fixing per the audit gate; none had been incidentally fixed by Waves 2–3, so all 10 distinct findings are addressed here.

What changed

Leak evictions (autopilot, alerts)

• B6a controller.go — removePR now evicts recordedMerges alongside activePRs/prFailures (was never deleted → unbounded over daemon lifetime).
• B6b ci_monitor.go — grace-expired terminal paths now delete(discoveryStart, sha); previously only the "checks found" path evicted, leaking every no-CI SHA + superseded commit.
• E7 engine.go — added retryLastSeen + evictStaleRetryTrackers (24h TTL) on the existing checkStuckTasks ticker, mirroring fix(alerts): task_stuck floods Slack — progress never emitted, per-rule cooldown rotates, no orphan cleanup #2204 orphan eviction; abandoned/escalated sources no longer leak.

Error-handling hygiene (executor, orchestrator, discord)

• G1 worktree.go — CleanupOrphanedWorktrees returns (removedCount, freedBytes, err) with err reserved for real failures, instead of abusing a non-nil error to signal success (a trap for idiomatic callers). 4 call sites + 3 tests updated.
• A4b runner.go — clean up the MkdirTemp hook dir on the WriteEmbeddedScripts failure branch (was leaking for the process lifetime).
• G2 bridge.go — runPython wraps with %w not %v so callers can errors.Is(context.DeadlineExceeded) / errors.As(*exec.ExitError).
• G3 transport.go — discord heartbeat logs the WriteJSON error and returns to trigger immediate reconnect instead of discarding it.

Bug + diagnosability (executor, github)

• A4a parallel.go — research subagent passes --model as two argv elements ("--model", name) instead of one joined "--model haiku" string the CLI parsed as a single unknown flag. Subagents were silently running on the default model. (tagged bug · conf high)
• board-low client.go — ExecuteGraphQL aggregates all gqlResp.Errors (message + type + path) instead of only Errors[0]. Partial-data tolerance stays on the TASK-319 board track per the audit doc.

Test coverage (transcription)

• G4 internal/transcription 0 → 3 test files: whisper_api error/parse/empty-transcript paths (httptest + URL-rewrite RoundTripper), setup status, Service primary/fallback routing.

Acceptance

• go build ./... ✅
• make lint ✅ 0 issues
• Tests ✅ all changed packages pass (autopilot, alerts, executor, orchestrator, discord, github, transcription, cmd/pilot)

Re-audit + ledger tick-off and TASK-357 archival to follow on merge — that closes the entire TASK-322 audit.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 26.66667% with 55 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
cmd/pilot/main.go	0.00%	14 Missing ⚠️
cmd/pilot/commands.go	0.00%	10 Missing ⚠️
internal/alerts/engine.go	41.17%	9 Missing and 1 partial ⚠️
internal/adapters/github/client.go	50.00%	5 Missing and 2 partials ⚠️
internal/executor/parallel.go	0.00%	6 Missing ⚠️
internal/adapters/discord/transport.go	0.00%	4 Missing ⚠️
internal/executor/runner.go	0.00%	2 Missing ⚠️
internal/executor/worktree.go	66.66%	1 Missing ⚠️
internal/orchestrator/bridge.go	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!