wire types: add sha + tag to Approval and HelperEvent

approval grows fetched_sha (canonical hive-c0re-vouched sha,
distinct from manager-supplied commit_ref). helperevent
{approvalresolved,spawned,rebuilt} grow optional sha + tag so
the manager can git-show the exact tree it's hearing about
(against the upcoming /agents/<n>/applied.git RO mount) and
know which terminal tag landed. all serde-defaulted; existing
construction sites pass none until the tag-driven flow lands.

hive-sh4re/src/lib.rs

@@ -65,8 +65,18 @@ pub struct Approval {
     pub agent: String,
     #[serde(default)]
     pub kind: ApprovalKind,
-    /// For `ApplyCommit`: the git sha to apply. For `Spawn`: empty.
+    /// For `ApplyCommit`: the git sha the manager submitted. For `Spawn`:
+    /// empty. Note that this is the manager's *claimed* ref — the
+    /// canonical, hive-c0re-vouched sha after the proposal fetch lives
+    /// in `fetched_sha`.
     pub commit_ref: String,
+    /// The sha hive-c0re fetched from the proposed repo into applied at
+    /// submission time, then tagged `proposal/<id>`. Stable for the
+    /// lifetime of the approval — manager amends in proposed don't
+    /// change what gets built. Only set for `ApplyCommit` after the
+    /// successful fetch.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub fetched_sha: Option<String>,
     pub requested_at: i64,
     pub status: ApprovalStatus,
     #[serde(default, skip_serializing_if = "Option::is_none")]
@@ -236,6 +246,18 @@ pub enum HelperEvent {
         status: ApprovalStatus,
         #[serde(default, skip_serializing_if = "Option::is_none")]
         note: Option<String>,
+        /// Canonical sha hive-c0re fetched into applied at submission
+        /// time. `git show <sha>` against `/agents/<n>/applied.git`
+        /// inside the manager container yields the exact tree being
+        /// referenced.
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        sha: Option<String>,
+        /// Terminal tag name in the applied repo for this approval —
+        /// `deployed/<id>`, `failed/<id>`, or `denied/<id>` (and
+        /// `approved/<id>` for the rare bare-approval case where
+        /// no underlying action runs).
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        tag: Option<String>,
     },
     /// A new container was spawned (post-approval or via the admin CLI
     /// bypass path). `ok=false` means the spawn failed.
@@ -244,6 +266,10 @@ pub enum HelperEvent {
         ok: bool,
         #[serde(default, skip_serializing_if = "Option::is_none")]
         note: Option<String>,
+        /// Sha of the `deployed/0` commit seeded by hive-c0re on
+        /// first spawn (Some on success, None on failure).
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        sha: Option<String>,
     },
     /// A container was rebuilt (auto-update on flake rev change, or a
     /// manual rebuild from CLI/dashboard).
@@ -252,6 +278,18 @@ pub enum HelperEvent {
         ok: bool,
         #[serde(default, skip_serializing_if = "Option::is_none")]
         note: Option<String>,
+        /// Sha that ended up at `deployed/<id>` on success, or the
+        /// proposal sha that just got tagged `failed/<id>` on
+        /// failure. None for the (rare) rebuild path that doesn't go
+        /// through an approval (e.g. auto_update::rebuild_agent
+        /// reapplying the existing main).
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        sha: Option<String>,
+        /// `deployed/<id>` or `failed/<id>` for approval-driven
+        /// rebuilds; None for auto-update / dashboard rebuilds that
+        /// don't change the deployed commit.
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        tag: Option<String>,
     },
     /// A sub-agent's container was stopped (the systemd unit is down;
     /// persistent state is unchanged).