fix(autofix): handle root directory pattern for safe sweep

[stranske]

Automated Status Summary

Scope

• Context / problem:
• - Current orchestration depends on PATs and/or mixed identities, which is fragile and painful to maintain.
• - GitHub Actions has recursion protection: pushes/labels/comments made with GITHUB_TOKEN generally will NOT trigger other workflows.
• - A GitHub App installation token is the cleanest way to get predictable “workflow triggers workflow” behavior without tying everything to a human PAT.
• Goal:
• - Create a GitHub App (single org/user app) that can be installed on your repos.
• - Mint short-lived installation tokens inside workflows.
• - Replace all PAT usage in orchestrator + keepalive + dispatch workflows with the App token.

Tasks

• Create GitHub App (UI, not code): name it "agents-workflows-bot" (or similar)
• Set App permissions (minimal but sufficient):
• Contents: Read & write
• Pull requests: Read & write
• Issues: Read & write
• Actions: Read & write (for dispatching / reading runs)
• Metadata: Read-only
• Install the App on: Workflows, Workflows-Integration-Tests, Travel-Plan-Permission, Portable-Alpha-Extension-Model, Trend_Model_Project
• Add secrets to Workflows repo (or org secrets):
• WORKFLOWS_APP_ID
• WORKFLOWS_APP_PRIVATE_KEY (the PEM contents)
• Update all workflows that currently use PATs to:
• mint app token
• export GH_TOKEN to that token
• (optional) checkout using that token so git push is clean
• Add a “compat mode” fallback (temporarily) so you can flip back to PAT if needed during rollout

Acceptance criteria

• - No workflow in Workflows repo requires a PAT for:
• - labeling PRs/issues
• - creating comments
• - pushing commits to PR branches
• - dispatching workflows
• - A commit pushed by the bot identity reliably triggers the Gate workflow (no “dead loop”).
• - Secrets inventory is reduced: only App ID + private key (and OPENAI_API_KEY) are required for the automation system.
• Rollout / safety:
• - Roll out in Workflows-Integration-Tests first, then Workflows, then consumer repos.
• - Add CODEOWNERS for .github/workflows/** and .github/scripts/** so this can’t get silently corrupted later.
• Head SHA: cee2332
• Latest Runs: ✅ success — Gate
• Required: gate: ✅ success
• | Workflow / Job | Result | Logs |
• |----------------|--------|------|
• | Agents PR meta manager | ❔ in progress | View run |
• | CI Autofix Loop | ✅ success | View run |
• | Copilot code review | ❔ in progress | View run |
• | Gate | ✅ success | View run |
• | Health 40 Sweep | ✅ success | View run |
• | Health 44 Gate Branch Protection | ❌ failure | View run |
• | Health 45 Agents Guard | ✅ success | View run |
• | Health 50 Security Scan | ✅ success | View run |
• | Maint 52 Validate Workflows | ✅ success | View run |
• | PR 11 - Minimal invariant CI | ✅ success | View run |
• | Selftest CI | ✅ success | View run |

Head SHA: 1c07da6
Latest Runs: ❔ in progress — Gate
Required: gate: ❔ in progress

Workflow / Job	Result	Logs
Agents Keepalive Loop	✅ success	View run
Agents PR meta manager	✅ success	View run
CI Autofix Loop	✅ success	View run
Copilot code review	❔ in progress	View run
Gate	❔ in progress	View run
Health 40 Sweep	✅ success	View run
Health 44 Gate Branch Protection	❔ in progress	View run
Health 45 Agents Guard	✅ success	View run
Health 50 Security Scan	❔ in progress	View run
Maint 52 Validate Workflows	✅ success	View run
PR 11 - Minimal invariant CI	✅ success	View run
Selftest CI	❔ in progress	View run
Validate Sync Manifest	✅ success	View run

[github-actions]

Automated Status Summary

Head SHA: 95dd54b
Latest Runs: ⏳ pending — Gate
Required contexts: Gate / gate, Health 45 Agents Guard / Enforce agents workflow protections
Required: core tests (3.11): ⏳ pending, core tests (3.12): ⏳ pending, docker smoke: ⏳ pending, gate: ⏳ pending

Workflow / Job	Result	Logs
(no jobs reported)	⏳ pending	—

Coverage Overview

• Coverage history entries: 1

Coverage Trend

Metric	Value
Current	78.63%
Baseline	0.00%
Delta	+78.63%
Minimum	70.00%
Status	✅ Pass

Updated automatically; will refresh on subsequent CI/Docker completions.

---

Keepalive checklist

Scope

No scope information available

Tasks

• No tasks defined

Acceptance criteria

• No acceptance criteria defined

[github-actions]

🤖 Keepalive Loop Status

PR #272 | Agent: Codex | Iteration 0/5

Current State

Metric	Value
Iteration progress	[----------] 0/5
Action	wait (missing-agent-label)
Gate	success
Tasks	0/42 complete
Keepalive	❌ disabled
Autofix	❌ disabled

🔍 Failure Classification

| Error type | infrastructure |
| Error category | resource |
| Suggested recovery | Confirm the referenced resource exists (repo, PR, branch, workflow, or file). |

[agents-workflows-bot]

⚠️ Action Required: Unable to determine source issue for PR #272. The PR title, branch name, or body must contain the issue number (e.g. #123, branch: issue-123, or the hidden marker ).

[Copilot]

Pull request overview

This PR fixes a bug in the autofix safe sweep pattern matching that prevented autofix from pushing fixes when Python files exist at the repository root directory.

• Handles the edge case where find returns . for root directory Python files
• Replaces empty/root directory patterns with ** to match all files at any depth
• Prevents false rejections of legitimate file changes

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The condition checking for "$clean_dir" == "." is redundant. After the parameter expansion "${dir#./}", if dir is ., then clean_dir will be an empty string (not .). The #./ pattern removes the shortest match of ./ from the beginning, so . becomes empty. Therefore, checking [[ -z "$clean_dir" ]] alone is sufficient to catch this case.

Suggested change

	if [[ -z "$clean_dir" || "$clean_dir" == "." ]]; then
	if [[ -z "$clean_dir" ]]; then