feat(conflict): target-overlap analyzer using changeset resolver (#223)

## Summary
Add submitqueue/extension/conflict/targetoverlap, a conflict.Analyzer
that flags two batches as conflicting when they change a common file. It
is the first analyzer to use the capability the extension contract
unblocks: it takes only batch identity and resolves each batch's changed
files itself through an injected changeset.Resolver, derived from each
change's provider details.

ConflictTypeTargetOverlap was already named in the contract but had no
implementation that could be written against an identity-only batch —
this is that implementation. No change to the conflict.Analyzer
interface. The example wires a target-overlap-queue to it.

## Test Plan


## Issues


## Stack
1. #221
1. #222
1. @ #223
1. #227

refactor(pusher): push ordered batches, return per-batch outcomes (#222)

## Summary
Change Pusher.Push to take ordered []entity.Batch instead of
controller-pre-resolved []entity.Change, per the extension contract. The
git pusher and the fake gain an injected changeset.Resolver and resolve
each batch's changes themselves; the merge controller drops its private
collectChanges walk and passes the single batch (the list designs for a
future merge-train).

This is the one extension whose output shape also changes: Result now
groups outcomes per batch — Result{Batches []BatchOutcome}, where
BatchOutcome{BatchID, Outcomes []ChangeOutcome} — so each landed batch
stays correlatable, the way conflict.Conflict carries its BatchID.
ChangeOutcome (per-change commit detail) is unchanged. No per-batch
status: push atomicity stays all-or-nothing across the whole call.

## Test Plan


## Issues


## Stack
1. #221
1. @ #222
1. #223
1. #227

refactor(buildrunner): trigger on batches, resolve changes internally (…

…#221)

## Summary
Change BuildRunner.Trigger to take batch identity — base []entity.Batch
(the dependency batches) and head entity.Batch (the batch under test) —
instead of controller-pre-resolved base/head []entity.Change, per the
extension contract. Each implementation (buildkite, githubactions, fake)
gains an injected changeset.Resolver and resolves the base and head
batches' changes itself; the build controller drops its private
collectChanges walk and loads the dependency batches as identity.

Status, Cancel, and the build id/status outputs are unchanged. The
wiring injects the resolver into the fake build runner; the
buildkite/githubactions Params gain a Resolver field.

Revises build-runner.md, which had deliberately kept batches out of the
boundary — the base/head split survives, expressed as batch identity.

## Test Plan


## Issues


## Stack
1. @ #221
1. #222
1. #223
1. #227

refactor(scorer): score entity.Batch, resolve changes internally (#219)

## Summary
Change Scorer.Score to take the batch identity (entity.Batch) instead of
a controller-pre-resolved entity.BatchChanges, per the extension
contract. The score controller drops its private collectBatchChanges
walk and just hands the batch to the scorer.

The heuristic scorer and the fake gain an injected changeset.Resolver
and call DetailedForBatch to resolve the batch's changes themselves; the
composite scorer delegates the batch to its children unchanged. The
wiring constructs one resolver from the request and change stores and
injects it into every scorer it builds.

Output is unchanged (a single float64 score per batch). The scorer
factory and Config are unchanged — the resolver is injected at
construction.

## Test Plan


## Issues


## Stack
1. #217
1. #218
1. @ #219
1. #221
1. #222
1. #223
1. #227

refactor(changeprovider): accept entity.Request, resolve change inter…

…nally (#218)

## Summary
Change ChangeProvider.Get to take the orchestrator's request identity
(entity.Request) instead of a controller-pre-resolved entity.Change, per
the extension contract. The GitHub implementation and the fake read
request.Change themselves; the validate controller hands over the
request it already loaded.

Output is unchanged: one entity.ChangeInfo per URI, each
self-identifying by URI. The provider is the external resolver, so it
needs no injected dependency — the factory and Config are unchanged.

## Test Plan


## Issues


## Stack
1. #217
1. @ #218
1. #219
1. #221
1. #222
1. #223
1. #227

refactor(mergechecker): accept entity.Request, resolve change interna…

…lly (#217)

## Summary
Change MergeChecker.Check to take the orchestrator's request identity
(entity.Request) instead of a controller-pre-resolved entity.Change, per
the extension contract. The GitHub implementation and the fake read
request.Change themselves; the validate controller hands over the
request it already loaded.

Output is unchanged (mergechecker.Result). The factory and Config are
unchanged — no dependency injection is needed since the checker resolves
nothing beyond the change already on the request.

## Test Plan


## Issues


## Stack
1. @ #217
1. #218
1. #219
1. #221
1. #222
1. #223
1. #227

feat(changeset): shared batch→changes resolver in core (#216)

## Summary
Add submitqueue/core/changeset, the single place the orchestrator
resolves batch identity into the changes a batch contains —
consolidating the batch -> requests -> changes walk that the build,
merge, and score controllers each performed privately.

Resolver exposes two single-batch fidelities, both keyed per batch so
callers with several batches loop and keep the per-batch boundary:
ChangesForBatch returns raw changes (URIs only, no change-store read)
for the build and merge stages, and DetailedForBatch returns one
ChangeInfo per claimed URI with provider details read from the change
store, for the score stage and detail-aware analyzers.

Ships with a store-backed implementation (depending only on the request
and change stores), a programmable in-memory fake, a generated mock, and
tests. The package is added unused; extensions adopt it in later
branches. entity.BatchChanges is repurposed as DetailedForBatch's output
(doc comment only). The mocks make-target gains the new package.

## Test Plan


## Issues


## Stack
1. #214
1. @ #216
1. #217
1. #218
1. #219
1. #221
1. #222
1. #223
1. #227

docs(rfc): extension contract — identity in, resolve internally (#214)

## Summary
### Why?

Extension input granularity is inconsistent across the orchestrator
pipeline: `conflict.Analyzer` takes orchestrator identity
(`entity.Batch`), while `scorer` / `mergechecker` / `changeprovider` /
`buildrunner` / `pusher` take controller-resolved `entity.Change`. The
split caps what an extension can do — a real `target_overlap` conflict
analyzer and a diff-aware heuristic scorer both cannot be written today,
because the data they need is neither in the contract nor resolvable by
the extension.

### What?

Adds `doc/rfc/submitqueue/extension-contract.md` proposing that
decision/action extensions accept thin reference entities at their
pipeline-stage granularity (`entity.Request` for request-stage,
`entity.Batch` / `[]entity.Batch` for batch-stage) and resolve granular
content themselves via narrowly-injected `Factory` dependencies, while
`storage` / `changestore` / `queueconfig` stay key/value resolution
targets. `conflict.Analyzer` is the baseline. The RFC revises the
BuildRunner base/head contract (`build-runner.md`) to pass batches
rather than change lists.

Also encodes the rule in `CLAUDE.md` so new extensions and signature
changes follow it, and links the RFC from the RFC index. Documentation
only — no code changes.

## Test Plan


## Issues


## Stack
1. @ #214
1. #216
1. #217
1. #218
1. #219
1. #221
1. #222
1. #223
1. #227

chore(deps): downgrade tally from v4 to v3.5.8 (#224)

Align with go-code uberfx/tallyfx, which injects tally.Scope from
github.com/uber-go/tally rather than tally/v4.

## Why?
Currently, this repo uses tally/v4, but we use v3 internally. The
interface is the same but the types are not compatible.

## What?
Swap to version of tally used internally 

## Test Plan
- Tests in this repo
- Launch each of our internal services

docs(rfc): stovepipe post-merge trunk-validation workflow (#215)

## Summary

### Why?

SubmitQueue can no longer prove every change green before merge at the
monorepo's current throughput, so it now merges directly to a single
`main` that may be temporarily broken. Stovepipe is the post-merge
service that validates `main`, records per-commit health, and drives
recovery. There was no design doc describing its pipeline; this RFC
fills that gap, mirroring `doc/rfc/submitqueue/workflow.md` so the two
services read as siblings.

### What?

Adds `doc/rfc/stovepipe/workflow.md` describing the end-to-end pipeline:
ingest trunk push events (external webhooks plus a fallback
reconciliation poller, deduped on commit SHA) → start → validate → batch
commits since the last known green → speculate / build / buildsignal →
on green record `succeeded`; on failure bisect to the offending commit →
invoke a pluggable remediation extension whose external backend lands a
fix or revert via SQ.

Documents the three commit states (`unknown` / `succeeded` / `failed`),
the SHA-as-identity / batch-as-validation-unit tracking model (bisect
owns termination), and two gateway-owned sinks the orchestrator
publishes to and the gateway consumes: `status` (the commit-status store
callers query) and `log` (an append-only event log, the analogue of SQ's
request log). Also covers fail-closed DLQ reconciliation, ownership by
service, and the status/log ownership invariant. Links the new doc from
`doc/rfc/index.md` under a new `## Stovepipe` section.