fix(ci): mythos-auto aggregate uses curl not gh; register p3_stream.rs

[avrabe]

Summary

Fifth mythos-auto plumbing fix — and it unblocks the auto-runner end-to-end.

On PR #173, the mythos-auto scan ran end-to-end for the first time: claude-code-action applied the Mythos discover protocol to merger.rs and resolver.rs and returned NO_FINDINGS for both. But the aggregate job — which composes the sticky comment and applies the mythos-pass-done label — exited 127:

/var/lib/runners/runner8/_work/.../d339fc7e.sh: line 53: gh: command not found

gh (GitHub CLI) is not installed on the light runner. So the label never auto-applied and the label-only Mythos delta-pass gate failed downstream — even though the actual Mythos verdict was clean.

Changes

Change	Detail
Comment upsert: gh api → curl	List/PATCH/POST against the REST API. curl + jq are universally present; gh is not.
Label apply: gh pr edit → curl	POST to the labels endpoint (adds without clobbering). Label step gains REPO env.
Body JSON-encoding	jq -Rs '{body: .}' reads the markdown file as one raw string — newlines, quotes, emoji, backticks, model-authored hypothesis text all escaped, nothing breaks the request body.
curl -fsS	Fails loudly on HTTP error rather than silently posting nothing.
Register p3_stream.rs Tier-5	Added to the path lists in mythos-gate.yml + mythos-auto.yml — deferred from #173.

Why p3_stream.rs registration rides here

claude-code-action self-validates that the workflow invoking it has content identical to main (a security measure). So a PR cannot both modify mythos-auto.yml and be scanned by it — that's what blocked #173's first run. This PR touches only the two workflow files — no Tier-5 source — so its own auto-runner detect job finds nothing to scan, any=false, the scan job skips, and the self-validation never runs. Clean.

The 5 mythos-auto plumbing bugs (now all fixed)

1. unzip missing on rust-cpu runners (smithy: unzip missing on rust-cpu runners blocks claude-code-action #167, smithy-side)
2. slug step ordering (fix(ci): mythos-auto plumbing — slug ordering, unzip install #164)
3. id-token: write permission (fix(ci): drop musl target from fuzz.yml + add id-token to mythos-auto (#168) #170)
4. workflow self-validation vs PRs modifying mythos-auto.yml (handled by feat(p3): cross-component stream<T> pairing detection (#141, ADR-3) #173 revert + this PR's no-Tier-5-source design)
5. gh absent on light runner — this PR

After this lands, the next Tier-5 PR should run mythos-auto fully green: detect → scan (NO_FINDINGS) → aggregate (curl posts comment + label) → gate clears.

Test plan

• CI green
• This PR's own mythos-auto: detect finds no Tier-5 source → scan + aggregate skip cleanly
• Verified end-to-end on the next Tier-5 PR (P3 async — static stream validation at build time (#94 sub-B) #142 will be the test)

🤖 Generated with Claude Code

[github-actions]

LS-N verification gate

✅ 19/19 approved LS entries verified

	count
Passed (≥1 test, all green)	19
Failed (≥1 test failure)	0
Missing (no ls_*_NN_* test found)	0

_{Approved loss-scenarios.yaml entries are expected to have a
regression test named ls_<letter>_<num>_* (e.g. LS-A-11 →
ls_a_11_*). The gate runs each prefix via cargo test --lib --no-fail-fast and aggregates pass/fail/missing.}

Failed LS entries

(none)

Missing regression tests

(none)

_{Updated automatically by tools/post_verification_comment.py.
Source of truth: safety/stpa/loss-scenarios.yaml.}