v1.57.3.0 fix(ship): always-loaded PR-title-version rule + fork-PR title-sync backstop

[garrytan]

Summary

Restores a regression and hardens the title-sync backstop. The v1.54.0.0 carve moved the "PR title must start with v$NEW_VERSION" rule out of /ship's always-loaded skeleton into the lazily-loaded pr-body.md section, so the agent only applied it when it happened to read that section — recent open PRs landed with bare titles.

Ship skeleton (agent-side fix)

• fix(ship): restore always-loaded PR-title-version invariant to skeleton — adds a one-line invariant + helper reference to ship/SKILL.md.tmpl right before the {{SECTION:pr-body}} pointer (mirrors the AUQ always-loaded precedent); full procedure stays sectioned. Regenerated all hosts.
• fix(ship): expand binDir path in pr-body Linked Spec block — ${ctx.paths.binDir} is only substituted in .ts resolvers, not .tmpl files, so it shipped literally into the generated pr-body.md Linked Spec block. Now uses the hardcoded helper path.

CI backstop (fork coverage)

• fix(ci): pr-title-sync covers fork PRs via hardened pull_request_target — plain pull_request gives a read-only token on fork PRs, so the title-sync workflow could never edit a fork/agent PR. Switched to pull_request_target (write token in base context) and made it safe: base-repo checkout only (no PR-head code execution), all PR fields via env: (never inlined into run:), VERSION read as data from the PR head, same-repo-loud / fork-soft on failure, no raw-title echo.

Guards (keep it from drifting again)

• test(ship): guard PR-title-version rule + pull_request_target safety — adds test/pr-title-sync-workflow-safety.test.ts, a static tripwire that fails CI if the workflow checks out PR-head code or inlines an attacker-controlled ${{ github.event.pull_request.* }} field into a run: block (the injection class actionlint can't catch).
• refactor(test): fold ship PR-title skeleton guard into carve-guard registry — main shipped a generalized carve-guard system (v1.57.0.0 feat: carve-guard system + carve cso/document-release/design-consultation #1907) that is now the single source of truth for carved-skill skeleton invariants. Registered the rule there (mustStayInSkeleton asserts v$NEW_VERSION + the helper stay always-loaded; mustMoveToSection asserts both the create and update PR paths stay carved into the section) and deleted the now-redundant standalone test.

(The merge commit pulls in main's v1.57.0.0 carve-guard system; it is not part of this PR's substantive change.)

Test Coverage

All new behavior is covered by deterministic free tests:

• test/pr-title-sync-workflow-safety.test.ts (new) — 5 assertions: no PR-head checkout, no ${{ pull_request.* }} in run:, uses pull_request_target, title via env:.
• test/helpers/carve-guards.ts ship entry — mustStayInSkeleton + mustMoveToSection now assert the PR-title invariant via the carve-guard ordering test (test/carve-section-ordering.test.ts).
• Helper unchanged, still covered by test/pr-title-rewrite.test.ts (9 cases).

The only inherent gap is pull_request_target runtime behavior, which is not locally unit-testable; covered by actionlint + the static safety tripwire + a live fork-PR smoke after merge.

Pre-Landing Review

• Eng review (/plan-eng-review): CLEAR — 5 findings, 0 critical gaps, all folded in (including a prior-learning catch that the original commit split would fail CI check-freshness; corrected to atomic tmpl+regen).
• Codex (/codex review, outside voice): PASS (no P1) — 8 findings, all folded in. Codex caught 4 things eng-review missed: gen:skill-docs needs --host all, the workflow needs a mechanical injection guard, the refs/pull/N/head read was an unsafe assumption (now uses head-repo metadata), and a path-token issue. One Codex finding (browse skill: default to sonnet to save tokens #8, use ${ctx.paths.binDir} in the skeleton) was REVERSED after verifying that token doesn't substitute in .tmpl files.

Eval Results

Diff-selected suite (bun run test:evals), full tier: routing 10/10 PASS, $2.39, 563s (includes journey-ship). Free gate (bun test) green.

Two ios-qa agent-flow simulation tests failed under full-suite concurrency (tailnet allowlist gate, capability-tier enforcement). Proven unrelated to this branch (blame protocol):

1. This branch's diff touches zero ios files (all changes are ship/CI/changelog/test-registry).
2. test/skill-e2e-ios.test.ts on origin/main in isolation: 7 pass, 0 fail.
3. Same test on this branch in isolation: 7 pass, 0 fail.
4. The failures only appear under parallel test:evals load with (attempt 3) retry markers — timing/resource flakiness, not a deterministic regression. Pre-existing test-infra flakiness, not introduced here.

Plan Completion

Plan implemented in full (skeleton invariant, two guard tests, CI hardening, binDir fix, carve-guard integration). All eng + codex findings folded in. 0 unresolved.

Test plan

• bun test (free gate) — passed
• bun test targeted: carve-guard 20/0, workflow-safety 8/0, 786 skill-doc tests
• bun run test:evals routing 10/10; ios-qa flakiness proven pre-existing
• actionlint .github/workflows/pr-title-sync.yml — clean
• gstack-pr-title-rewrite.sh 3-case sanity

🤖 Generated with Claude Code

[trunk-io]

Merging to main in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

[github-actions]

E2E Evals: ✅ PASS

9/9 tests passed | $.94 total cost | 12 parallel runners

Suite	Result	Status	Cost
e2e-qa-workflow	1/1	✅	$0.12
e2e-review	2/2	✅	$0.24
e2e-workflow	2/2	✅	$0.27
llm-judge	2/2	✅	$0.04
e2e-workflow	2/2	✅	$0.27

---

12x ubicloud-standard-8 (Docker: pre-baked toolchain + deps) | wall clock ≈ slowest suite