feat(workflows): add clippy-fixer agentic workflow

[jamesadevine]

Summary

Adds a new agentic workflow, clippy-fixer, that runs daily and opens a focused PR to clear cargo clippy warnings as they surface.

Design (mirrors the existing bash-lint-auditor pattern):

• Trigger: fuzzy daily schedule around 08:30
• Permissions: read-only — all writes flow through safe-outputs
• Tools: bash, github, cache-memory (to track prior runs and avoid duplicate PRs)
• Network: defaults, rust (cargo / crates.io)
• Safe output: create-pull-request (max 1) with allowed-files scoped to src/**, tests/**, examples/**, ado-aw-derive/**, Cargo.toml, Cargo.lock

Agent loop:

1. Load cache state; exit early if a prior clippy-fixer PR is still open.
2. Verify toolchain / install the clippy component if missing.
3. Baseline cargo clippy --all-targets --all-features --workspace -- -D warnings.
4. Triage to one focused scope per run — explicitly forbids mixing unrelated lints, blanket #[allow], or Cargo.toml lint-level edits.
5. Apply canonical fixes from a built-in lint-to-fix table covering the common rules (needless_borrow, redundant_clone, uninlined_format_args, or_fun_call, single_match, etc.).
6. Validate with cargo build, cargo test, and a full clippy pass. Revert if cargo test regresses.
7. Save state to cache and open a PR with a conventional-commits title (style/refactor/fix(clippy): ...).

Includes both the source .md and the compiled .lock.yml.

Test plan

• gh aw compile clippy-fixer → 0 errors, 0 warnings.
• gh aw compile clippy-fixer --validate → passes (only an informational notice about a newer actions/github-script SHA, which is repo-wide and unrelated to this workflow).

The workflow runs against the production toolchain on a real runner, so live verification will happen on the first scheduled execution.