fix(automerge): treat NAF credit/billing gate code as high-risk

[topcoder1]

Summary

whois-api-llc/wxa_webcat#438 — a fix to src/webcat/api/middleware/naf.py, the validate_call/log_successful_call client that authorizes and charges every customer API call — auto-merged because the path has no auth/billing keyword. The file is the billing gate but slipped through the risk-tier globs.

Adds a targeted pattern so NAF gate code requires manual click-merge:

(^|/)naf(/|\.(py|go|ts|js)$)

• Matches a naf file or naf/ module at any depth → catches webcat's naf.py and asm-core's src/naf/client.go.
• Scoped to the naf segment, not a broad middleware/ rule, so benign middleware (logging, CORS, rate-limit) isn't over-classified.
• Kept in lock-step across the workflow regex and the GH selftest mirror (per the in-file "keep these in lock-step" note).

Changes

• .github/workflows/claude-author-automerge.yml — pattern + category comment.
• selftest/test_automerge_risk_patterns.sh — mirror pattern.
• selftest/risk_patterns_corpus.txt — RISKY (naf.py, naf/client.go, internal/naf/validate.go) + SAFE (naf-integration.md, naffle/, snafu/) cases.

The matching bb-automerge.py change ships in a companion dotclaude PR so the shared corpus stays green on both selftests.

Test plan

• bash selftest/test_automerge_risk_patterns.sh → all cases pass
• BB_AUTOMERGE_PY=… bash selftest/test_bb_automerge_risk_patterns.sh → 142 cases pass (with the companion dotclaude change applied locally)

Auto-merge rationale: MANUAL-MERGE — touches .github/workflows/** (production CI infra), and ci-workflows PRs always require manual merge (the caller/reusable filename collision). Merge this together with the companion dotclaude PR to keep GH/BB in lockstep.

🤖 Generated with Claude Code

[github-actions]

Risk class: blocked — manual merge required.

This PR touches one of the blocked path categories from .github/risk-paths.yml (Dockerfiles, docker-compose, .github/workflows/**, **/.env*, **/secrets*, infra/, terraform/, k8s/, or the classifier config itself).

Auto-merge is refused by claude-author-automerge.yml. A maintainer should review the diff and click "Squash and merge" themselves.

(This is a policy notice, not a code-quality failure. The classify job itself does not fail — required CI checks remain authoritative for "is the code green.")

[github-actions]

Coverage Floor — mode: enforce

metric	value
measured	100.0%
floor (current)	99.0%
target	100.0%
last bumped	2026-05-12

[claude]

No issues found. Regex correctly anchors naf as a path segment (not substring), SAFE cases for naffle/ and snafu/ are sound, and RISKY/SAFE corpus is in lock-step with the workflow pattern.