feat(claude-automerge): risk_main_go opt-out for Go-monorepo tool entrypoints

[topcoder1]

Problem

The risk-tier path scan in claude-author-automerge.yml treats any main.go as manual-merge (added in #77 for single-service repos where cmd/<reponame>/main.go is the deployed service). In a Go monorepo, most cmd/*/main.go are dev/CLI tools, not the deployed service — and the bare (^|/)main\.go$ pattern can't distinguish cmd/<service>/main.go from cmd/<tool>/main.go, so it false-flags every tool entrypoint.

Concrete case: techrecon#230 (a header-determinism fix touching four cmd/techrecon-*/main.go tool entrypoints — load, regress, bench, detection-counts) was blocked from auto-merge purely on the main.go pattern. None are deployed services (techrecon's only deployed binary is cmd/ja4-enrichment).

Change

Add a risk_main_go workflow input (boolean, default true → zero fleet change). When a caller sets it false, the main.go pattern is dropped from the risk scan at runtime via a fixed-string filter (grep -vF 'main\.go'); every other risk-tier pattern still fires. Such callers gate their real deployed entrypoint via their own .github/risk-paths.yml.

• Default true preserves existing behavior for all current callers (incl. wxa-mcp-server).
• The patterns string itself is unchanged, so the shared-corpus / BB-variant sync is preserved.
• Selftest extended: with the filter, main.go paths (incl. cmd/<service>/main.go) do not match, while auth / Dockerfile / migrations / oauth2 still match. A sanity check asserts the filter removes exactly the main.go line.

Verification

• bash selftest/test_automerge_risk_patterns.sh -> PASS (existing cases + new opt-out cases).
• actionlint on the workflow -> clean.
• Diff is exactly 2 files (+68 LOC).

Follow-up

A companion PR on whois-api-llc/techrecon will set risk_main_go: false in its caller and gate cmd/ja4-enrichment/** (the real deployed service) via risk-paths.yml. It depends on this input existing on @main, so this merges first.

Unrelated pre-existing issue spotted: the BB variant selftest (test_bb_automerge_risk_patterns.sh) reports 54 failures on clean main — bb-automerge.py's HIGH_RISK_PATTERNS has drifted from the shared corpus (mostly infra/* docs over-classified). Out of scope here; flagging for a separate fix.

Auto-merge rationale: Manual-merge — touches .github/workflows/**, and this repo doesn't install the caller (filename collision), so PRs here always require manual merge.

Codex pre-review: Skipped — additive workflow input + bash filter + selftest cases (~60 LOC); regression surface is covered by the selftest, not Codex.

🤖 Generated with Claude Code

[github-actions]

Risk class: blocked — manual merge required.

This PR touches one of the blocked path categories from .github/risk-paths.yml (Dockerfiles, docker-compose, .github/workflows/**, **/.env*, **/secrets*, infra/, terraform/, k8s/, or the classifier config itself).

Auto-merge is refused by claude-author-automerge.yml. A maintainer should review the diff and click "Squash and merge" themselves.

(This is a policy notice, not a code-quality failure. The classify job itself does not fail — required CI checks remain authoritative for "is the code green.")

[github-actions]

Coverage Floor — mode: enforce

metric	value
measured	100.0%
floor (current)	99.0%
target	100.0%
last bumped	2026-05-12

[claude]

No issues found. Filter logic, shell condition, default behavior, and selftest sanity check all look correct.