feat(claude-automerge): expand auth/billing/secret risk-tier alternations

[topcoder1]

Summary

Sibling-gap audit follow-up to #77 (which added oauth2 + main.go). The same literal-segment-alternation trap exists for several other auth-adjacent and billing-adjacent directory names the global policy intends to cover but the regex never enumerated.

Additions

Category	Before	After
Auth alternation	(auth|login|session|oauth|oauth2|sso)	(auth|login|signin|signup|logout|session[s]?|oauth|oauth2|sso|jwt|mfa|totp|webauthn|passkey)
Billing alternation	(billing|payment[s]?|pricing|invoice[s]?)	(billing|payment[s]?|pricing|invoice[s]?|subscription[s]?|checkout|refund[s]?)
Secrets	^(.*/)?secrets(/|$)	^(.*/)?secret[s]?(/|$)

Test coverage

Selftest grows from 41 → 60 RISKY cases (19 new segment-match examples across all three categories) and 16 → 25 SAFE cases (9 new substring/filename-prefix counter-examples like sessionsutil.go, passkeystore.go, subscriber.go, secretly.go, test_authorization_logic.py, docs/checkout-flow.md).

$ bash selftest/test_automerge_risk_patterns.sh
OK: all risk-pattern cases pass.

Scope limit (documented inline)

Pattern remains path-segment-anchored, not filename-prefix. Rails/Django/Express conventions like controllers/sessions_controller.rb or routes/logout.py are intentionally NOT matched globally — those belong in per-caller .github/risk-paths.yml. Catching them via the global regex would also over-match helpers/auth_helper.py and similar adjacent files. Precision over recall.

Vendor names (stripe, paypal, braintree) intentionally skipped for the same reason — per-caller.

Auto-merge rationale

In the manual-merge category (touches .github/workflows/**). The risk-tier path-scan will correctly block this PR on the new patterns themselves; manual click-merge required. (Also, topcoder1/ci-workflows doesn't install the caller, so PRs to this repo always require manual merge regardless.)

Codex pre-review

Skipped — purely additive regex + test cases (~50 LOC), regression surface covered by the selftest.

Test plan

• bash selftest/test_automerge_risk_patterns.sh passes locally (60 RISKY + 25 SAFE)
• Untracked the actionlint binary that got accidentally staged (follow-up commit + .gitignore)
• Post-merge: spot-check on next Claude-authored PR touching e.g. internal/jwt/ or api/checkout/ on a fleet repo

🤖 Generated with Claude Code

[github-actions]

Risk class: blocked — manual merge required.

This PR touches one of the blocked path categories from .github/risk-paths.yml (Dockerfiles, docker-compose, .github/workflows/**, **/.env*, **/secrets*, infra/, terraform/, k8s/, or the classifier config itself).

Auto-merge is refused by claude-author-automerge.yml. A maintainer should review the diff and click "Squash and merge" themselves.

(This is a policy notice, not a code-quality failure. The classify job itself does not fail — required CI checks remain authoritative for "is the code green.")

[github-actions]

Coverage Floor — mode: enforce

metric	value
measured	100.0%
floor (current)	99.0%
target	100.0%
last bumped	2026-05-12

[claude]

No issues found. Regex changes are correct, segment-anchoring holds for all new SAFE/RISKY cases, and patterns are in sync between the workflow and selftest. Procedural note: the inline comment asks to also update install-automerge-policy.sh and the global CLAUDE.md policy block — worth confirming those were updated out-of-band if they exist externally.