feat(lifecycle): validate shared symlinks at daemon startup (A2)

Wire symlinks.ValidateAll into the lifecycle manager so the daemon
refuses to start if any configured account is missing one of the
shared-state symlinks or if a link diverges from the canonical target.

Previously, a missing link on a freshly deployed VM would silently
create a divergent state tree per account (duplicate JSONL transcripts,
broken undo history) — exactly the failure mode the symlinks package
(A1) was introduced to prevent.

The check runs once at startup before EnsureAllSessions, guarding a
single well-defined invariant: "every account home shares the same
projects/, file-history/ and session-env/ roots". No auto-heal on
divergence — we fail fast with an explicit error so the operator fixes
it manually rather than one account's state being overwritten.

Part of Phase 1 Chantier A — Failover robuste.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cmd/claude-failover/main.go

@@ -51,6 +51,15 @@ func main() {
 	// Initialise tmux client and lifecycle manager.
 	tmuxClient := tmux.NewExecClient()
 	lm := lifecycle.New(tmuxClient, s, cfg)
+
+	// Validate (and self-heal) the shared-state symlinks BEFORE spawning
+	// any sessions. A divergent link would silently fork transcripts
+	// between accounts and make failover destructive, so we fail fast here
+	// rather than after work is in flight.
+	if err := lm.ValidateSharedSymlinks(); err != nil {
+		log.Fatalf("shared symlinks validation failed: %v", err)
+	}
+
 	lm.EnsureAllSessions()
 
 	// Block until SIGINT or SIGTERM.