[Change] Trustworthy green checks for CI, pre-commit, and PR review

[djm81]

Summary

Make repository green checks trustworthy by aligning CI, pre-commit, and automated PR review semantics so required checks actually block and advisory checks are explicitly advisory.

Why

Current quality coverage is broad, but enforcement is inconsistent:

• some CI jobs in pr-orchestrator.yml still suppress failure while looking authoritative in GitHub
• local pre-commit behavior is stronger in the smart-check wrapper than in .pre-commit-config.yaml
• CodeRabbit auto-review covers dev PRs but not main-bound release PRs
• dev -> main fast-path skipping can hide follow-up commit risk

That makes "green checks" less trustworthy than they should be.

Proposed changes

• harden required jobs in .github/workflows/pr-orchestrator.yml so required tool failures fail the job
• define explicit required vs advisory gate taxonomy and naming
• tighten dev -> main skip logic so fast-path skips only happen when parity is provable
• require workflow lint/static validation in CI for .github/workflows/** changes
• align supported local pre-commit installation with core CI gate semantics
• extend CodeRabbit auto-review coverage to both dev and main

OpenSpec

• Change ID: ci-02-trustworthy-green-checks
• Proposal: openspec/changes/ci-02-trustworthy-green-checks/proposal.md
• Validation: openspec validate ci-02-trustworthy-green-checks --strict ✅

Parent Feature

• Parent Feature: [Feature] Code Review Workflow Integration #406