Make tracking writes either transactional or explicitly opt-in best-effort

[franconicola]

Problem. Today, tracking writes happen as a side effect of the attack loop and silently fail. Either they're load-bearing (and a failure should fail the run) or they're best-effort (and the user should opt in knowing the audit may be incomplete).

Actions.

• Decide the policy. Recommendation: default to strict (failure to write a tracking record fails the step with a clear error). Add a tracking_mode: Literal["strict", "best_effort"] = "strict" parameter to HackAgent or the relevant orchestrator entry point.
• Wrap multi-record writes for one step in a SQLite transaction in LocalBackend so partial states never persist.
• Surface tracking errors in the RunRecord (new field tracking_status).
• Tests for both modes.

Acceptance: strict mode raises on tracking failure; best-effort mode logs at WARN and records tracking_status="partial".