ci(fork-sync): sync-PR composite gate workflow (Option 7)

[alexey-pelykh]

Problem

Sync PRs are categorically more dangerous than feature PRs (recent: #2398 = 751 commits, #2400 = 2,522 commits). They warrant a different CI tier — heavier checks that would be too costly for normal feature PRs. Currently, all PRs receive the same CI treatment, which forces a trade-off: either burden every PR or tolerate gaps for sync PRs.

Solution

New GitHub Actions workflow .github/workflows/sync-pr-audit.yml triggered when PR title matches ^sync: upstream to v (existing project convention for sync PRs).

The workflow runs heavier checks ONLY on this PR class:

• AST gate (ci(fork-sync): extend check-throwing-stub-callers.mjs with : never calibration signal (H7) #2435) — already universal but re-asserted with verbose logging tailored to sync-PR context
• Generalized baselines (ci(fork-sync): fork-boundary mock baseline in check-stub-debt.mjs (H8) #2436) — already universal but re-asserted with diff report showing per-counter changes
• Attestation diff (ci(fork-sync): MODULE_ATTESTATIONS manifest for src/agents/* (Option 6) #2437) — runs scripts/check-attestations.mjs --diff to surface attestation changes prominently
• Optional: opt-in LIVE smoke for one agent path (using a stub LLM to avoid credentials)

Result is a single composite check on the PR that summarizes all sync-specific concerns in one place.

Acceptance criteria

• .github/workflows/sync-pr-audit.yml created
• Trigger condition: pull_request.title matches ^sync: upstream to v
• Composite job runs all four gates with sync-PR-specific verbose output
• Workflow added to branch protection as required check FOR sync PRs only (or documented as advisory if branch-protection conditional checks aren't supported)
• Documentation: CONTRIBUTING.md "Sync PR workflow" section
• Dry-run on a recent sync PR (e.g., sync: upstream to v2026.3.22 (2522 commits) #2400) confirms the gate produces useful output

Effort

0.5 day after #2435, #2436, #2437 land.

Risk

PR title heuristic could be bypassed (sync PR not titled with the convention). Mitigation: the underlying gates (#2435, #2436, #2437) remain UNIVERSAL — this workflow only adds verbose reporting and optional checks tailored to sync PRs, not security-critical gates. Bypassing the title only loses verbose reporting, not the underlying enforcement.

Dependencies

Blocked by: #2435, #2436, #2437 (this issue is the orchestrator; standalone value is near-zero before they land)
Tracked under: #2433

References

• Epic: meta(fork-sync): hardening architecture epic — prevent #2408-class regressions #2433
• Dependencies: ci(fork-sync): extend check-throwing-stub-callers.mjs with : never calibration signal (H7) #2435, ci(fork-sync): fork-boundary mock baseline in check-stub-debt.mjs (H8) #2436, ci(fork-sync): MODULE_ATTESTATIONS manifest for src/agents/* (Option 6) #2437
• Sync PR examples: sync: upstream to v2026.3.13-1 (751 commits) #2398, sync: upstream to v2026.3.22 (2522 commits) #2400