Security testing for multi-agent swarms: agent isolation, delegation trust, inbox spoofing

## Context ClawTeam enables powerful swarm intelligence - a leader agent spawning specialized sub-agents, each with their own worktree and communication channel. The coordination model is elegant. The security surface of this architecture hasn't been explored yet. When 8 agents run autonomously across GPUs with zero human intervention, several attack vectors become relevant: ## Attack Vectors Specific to ClawTeam's Architecture ### 1. Inbox Message Spoofing `clawteam inbox send` lets any agent message any other agent. Can a sub-agent impersonate the leader? Can an external process inject messages into the inbox? If the leader trusts `inbox` messages without verifying sender identity, a compromised worker can redirect the entire swarm. ### 2. Git Worktree Cross-Contamination Each agent gets its own worktree. But they share the same repo. Can Worker A's commits affect Worker B's branch? Can a malicious agent push to main or to another worker's branch? The isolation is filesystem-level, not permission-level. ### 3. Leader Delegation Trust The leader spawns workers and assigns tasks. But when a worker reports "Auth done. All tests passing" - how does the leader verify that? Self-reported completion without external verification is the most common governance failure in multi-agent systems. We documented a 14-day silent outage where agents reported "running" but had stopped doing useful work. ### 4. Task Escalation via Dependency Manipulation ClawTeam has "smart dependency m...