ci: add GitHub Agentic Workflows scaffolding + daily hygiene assessment

Adds gh-aw (GitHub Agentic Workflows) framework files plus an AI-driven
daily hygiene-assessment workflow that scans main for:
  1. Workaround patterns (CLAUDE.md forbids without approval)
  2. Ungrounded retail-port code (no decomp citation)
  3. Roadmap / phase / CLAUDE.md "currently working toward" drift
  4. Test / build hygiene (warnings, test count regression)
  5. Architecture drift (cross-layer references, WB imports outside Wb/)

Output: one rolling GitHub issue per day, labelled ai+hygiene; the
framework auto-closes the prior day's report. Engine: copilot
(gpt-5.3-codex) — uses your Copilot subscription, no separate API key
needed.

Scaffolding from gh aw init:
  - .gitattributes          (marks .lock.yml as generated)
  - .github/agents/         (dispatcher agent)
  - .github/mcp.json        (MCP server config)
  - .github/workflows/aw.json (ghes:false — we target GitHub.com)
  - .github/workflows/copilot-setup-steps.yml
  - .vscode/settings.json   (editor settings)

Workflow:
  - .github/workflows/hygiene-assessment.md     (human-authored source)
  - .github/workflows/hygiene-assessment.lock.yml (compiled artifact)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitattributes

@@ -0,0 +1 @@
+.github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/agents/agentic-workflows.agent.md

@@ -0,0 +1,236 @@
+---
+description: GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing
+disable-model-invocation: true
+---
+
+# GitHub Agentic Workflows Agent
+
+This agent helps you work with **GitHub Agentic Workflows (gh-aw)**, a CLI extension for creating AI-powered workflows in natural language using markdown files.
+
+## What This Agent Does
+
+This is a **dispatcher agent** that routes your request to the appropriate specialized prompt based on your task:
+
+- **Creating new workflows**: Routes to `create` prompt
+- **Updating existing workflows**: Routes to `update` prompt
+- **Debugging workflows**: Routes to `debug` prompt  
+- **Upgrading workflows**: Routes to `upgrade-agentic-workflows` prompt
+- **Creating report-generating workflows**: Routes to `report` prompt — consult this whenever the workflow posts status updates, audits, analyses, or any structured output as issues, discussions, or comments
+- **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt
+- **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`). Never merge those PRs directly; instead update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes
+- **Analyzing test coverage**: Routes to `test-coverage` prompt — consult this whenever the workflow reads, analyzes, or reports on test coverage data from PRs or CI runs
+- **Rendering ASCII charts in markdown**: Routes to `asciicharts` guide — consult this whenever the workflow needs compact charts that render reliably in GitHub issues, comments, or discussions
+- **CLI commands and triggering workflows**: Routes to `cli-commands` guide — consult this whenever the user asks how to run, compile, debug, or manage workflows from the command line, or when they need the MCP tool equivalent of a `gh aw` command
+- **Reducing token consumption / cost optimization**: Routes to `token-optimization` guide — consult this whenever the user asks how to reduce token usage, lower costs, speed up workflows, or measure the impact of prompt changes with experiments
+- **Choosing workflow architectures and design patterns**: Routes to `patterns` guide — consult this whenever the user asks for strategy, architecture, operating models, or pattern selection for agentic workflows
+
+> [!IMPORTANT]
+> For architecture/pattern-selection requests, load `https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/patterns.md` first.
+
+Workflows may optionally include:
+
+- **Project tracking / monitoring** (GitHub Projects updates, status reporting)
+- **Orchestration / coordination** (one workflow assigning agents or dispatching and coordinating other workflows)
+
+## Files This Applies To
+
+- Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md`
+- Workflow lock files: `.github/workflows/*.lock.yml`
+- Shared components: `.github/workflows/shared/*.md`
+- Configuration: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/github-agentic-workflows.md
+
+## Problems This Solves
+
+- **Workflow Creation**: Design secure, validated agentic workflows with proper triggers, tools, and permissions
+- **Workflow Debugging**: Analyze logs, identify missing tools, investigate failures, and fix configuration issues
+- **Version Upgrades**: Migrate workflows to new gh-aw versions, apply codemods, fix breaking changes
+- **Component Design**: Create reusable shared workflow components that wrap MCP servers
+
+## How to Use
+
+When you interact with this agent, it will:
+
+1. **Understand your intent** - Determine what kind of task you're trying to accomplish
+2. **Route to the right prompt** - Load the specialized prompt file for your task
+3. **Execute the task** - Follow the detailed instructions in the loaded prompt
+
+## Available Prompts
+
+### Create New Workflow
+**Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/create-agentic-workflow.md
+
+**Use cases**:
+- "Create a workflow that triages issues"
+- "I need a workflow to label pull requests"
+- "Design a weekly research automation"
+
+### Update Existing Workflow  
+**Load when**: User wants to modify, improve, or refactor an existing workflow
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/update-agentic-workflow.md
+
+**Use cases**:
+- "Add web-fetch tool to the issue-classifier workflow"
+- "Update the PR reviewer to use discussions instead of issues"
+- "Improve the prompt for the weekly-research workflow"
+
+### Debug Workflow  
+**Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/debug-agentic-workflow.md
+
+**Use cases**:
+- "Why is this workflow failing?"
+- "Analyze the logs for workflow X"
+- "Investigate missing tool calls in run #12345"
+
+### Upgrade Agentic Workflows
+**Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/upgrade-agentic-workflows.md
+
+**Use cases**:
+- "Upgrade all workflows to the latest version"
+- "Fix deprecated fields in workflows"
+- "Apply breaking changes from the new release"
+
+### Create a Report-Generating Workflow
+**Load when**: The workflow being created or updated produces reports — recurring status updates, audit summaries, analyses, or any structured output posted as a GitHub issue, discussion, or comment
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/report.md
+
+**Use cases**:
+- "Create a weekly CI health report"
+- "Post a daily security audit to Discussions"
+- "Add a status update comment to open PRs"
+
+### Create Shared Agentic Workflow
+**Load when**: User wants to create a reusable workflow component or wrap an MCP server
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/create-shared-agentic-workflow.md
+
+**Use cases**:
+- "Create a shared component for Notion integration"
+- "Wrap the Slack MCP server as a reusable component"
+- "Design a shared workflow for database queries"
+
+### Fix Dependabot PRs
+**Load when**: User needs to close or fix open Dependabot PRs that update dependencies in generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`)
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/dependabot.md
+
+**Use cases**:
+- "Fix the open Dependabot PRs for npm dependencies"
+- "Bundle and close the Dependabot PRs for workflow dependencies"
+- "Update @playwright/test to fix the Dependabot PR"
+
+### Analyze Test Coverage
+**Load when**: The workflow reads, analyzes, or reports test coverage — whether triggered by a PR, a schedule, or a slash command. Always consult this prompt before designing the coverage data strategy.
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/test-coverage.md
+
+**Use cases**:
+- "Create a workflow that comments coverage on PRs"
+- "Analyze coverage trends over time"
+- "Add a coverage gate that blocks PRs below a threshold"
+
+### Render ASCII Charts in Markdown
+**Load when**: The workflow needs in-markdown charts (sparklines, bars, table+trend views) that must align cleanly and render reliably across GitHub surfaces, including mobile.
+
+**Reference file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/asciicharts.md
+
+**Use cases**:
+- "Show a compact trend chart in an issue comment"
+- "Render a dashboard table with sparkline trends"
+- "Generate aligned ASCII bars for service metrics"
+
+### CLI Commands Reference
+**Load when**: The user asks how to run, compile, debug, or manage workflows from the command line; needs the MCP tool equivalent of a `gh aw` command; or is in a restricted environment (e.g., Copilot Cloud) without direct CLI access.
+
+**Reference file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/cli-commands.md
+
+**Use cases**:
+- "How do I trigger workflow X on the main branch?"
+- "What's the MCP equivalent of `gh aw logs`?"
+- "I'm in Copilot Cloud — how do I compile a workflow?"
+- "Show me all available gh aw commands"
+
+### Token Consumption Optimization
+**Load when**: The user asks how to reduce token usage, lower workflow costs, make a workflow faster or cheaper, or measure the impact of prompt or configuration changes.
+
+**Reference file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/token-optimization.md
+
+**Use cases**:
+- "How do I reduce the token cost of this workflow?"
+- "My workflow is too expensive — how do I optimize it?"
+- "How do I compare token usage between two runs?"
+- "Should I use gh-proxy or the MCP server?"
+- "How do I use sub-agents to reduce costs?"
+- "How do I measure the impact of a prompt change?"
+
+### Workflow Pattern Selection
+**Load when**: The user asks for architecture, strategy, operating model selection, or pattern recommendations for building agentic workflows.
+
+**Reference file**: https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/patterns.md
+
+**Use cases**:
+- "Which pattern should I use for multi-repo rollout?"
+- "How should I structure this workflow architecture?"
+- "What pattern fits slash-command triage?"
+- "Should this be DispatchOps or DailyOps?"
+
+## Instructions
+
+When a user interacts with you:
+
+1. **Identify the task type** from the user's request
+2. **Load the appropriate prompt** from the GitHub repository URLs listed above
+3. **Follow the loaded prompt's instructions** exactly
+4. **If uncertain**, ask clarifying questions to determine the right prompt
+
+## Quick Reference
+
+```bash
+# Initialize repository for agentic workflows
+gh aw init
+
+# Generate the lock file for a workflow
+gh aw compile [workflow-name]
+
+# Trigger a workflow on demand (preferred over gh workflow run)
+gh aw run <workflow-name>             # interactive input collection
+gh aw run <workflow-name> --ref main  # run on a specific branch
+
+# Debug workflow runs
+gh aw logs [workflow-name]
+gh aw audit <run-id>
+
+# Upgrade workflows
+gh aw fix --write
+gh aw compile --validate
+```
+
+## Key Features of gh-aw
+
+- **Natural Language Workflows**: Write workflows in markdown with YAML frontmatter
+- **AI Engine Support**: Copilot, Claude, Codex, or custom engines
+- **MCP Server Integration**: Connect to Model Context Protocol servers for tools
+- **Safe Outputs**: Structured communication between AI and GitHub API
+- **Strict Mode**: Security-first validation and sandboxing
+- **Shared Components**: Reusable workflow building blocks
+- **Repo Memory**: Persistent git-backed storage for agents
+- **Sandboxed Execution**: All workflows run in the Agent Workflow Firewall (AWF) sandbox, enabling full `bash` and `edit` tools by default
+
+## Important Notes
+
+- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/github-agentic-workflows.md for complete documentation
+- Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud
+- Workflows must be compiled to `.lock.yml` files before running in GitHub Actions
+- **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF
+- Follow security best practices: minimal permissions, explicit network access, no template injection
+- **Network configuration**: Use ecosystem identifiers (`node`, `python`, `go`, etc.) or explicit FQDNs in `network.allowed`. Bare shorthands like `npm` or `pypi` are **not** valid. See https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/network.md for the full list of valid ecosystem identifiers and domain patterns.
+- **Single-file output**: When creating a workflow, produce exactly **one** workflow `.md` file. Do not create separate documentation files (architecture docs, runbooks, usage guides, etc.). If documentation is needed, add a brief `## Usage` section inside the workflow file itself.
+- **Triggering runs**: Always use `gh aw run <workflow-name>` to trigger a workflow on demand — not `gh workflow run <file>.lock.yml`. `gh aw run` handles workflow resolution by short name, input parsing and validation, and correct run-tracking for agentic workflows. Use `--ref <branch>` to run on a specific branch.
+- **CLI commands reference**: For a complete guide on all `gh aw` commands and their MCP tool equivalents (for restricted environments), see https://github.com/github/gh-aw/blob/v0.74.8/.github/aw/cli-commands.md

.github/mcp.json

@@ -0,0 +1,11 @@
+{
+  "mcpServers": {
+    "github-agentic-workflows": {
+      "command": "gh",
+      "args": [
+        "aw",
+        "mcp-server"
+      ]
+    }
+  }
+}

.github/workflows/aw.json

@@ -0,0 +1,3 @@
+{
+  "ghes": false
+}

.github/workflows/copilot-setup-steps.yml

@@ -0,0 +1,26 @@
+name: "Copilot Setup Steps"
+
+# This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+jobs:
+  # The job MUST be called 'copilot-setup-steps' to be recognized by GitHub Copilot Agent
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+
+    # Set minimal permissions for setup steps
+    # Copilot Agent receives its own token with appropriate permissions
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Install gh-aw extension
+        uses: github/gh-aw-actions/setup-cli@efa55847f72aadb03490d955263ff911bf758700 # v0.74.8
+        with:
+          version: v0.74.8

.github/workflows/hygiene-assessment.md

@@ -0,0 +1,142 @@
+---
+description: Daily hygiene assessment of acdream's main branch — flag workarounds,
+  ungrounded code, Phase/roadmap drift, and architecture violations.
+on:
+  schedule: daily
+  workflow_dispatch: {}
+permissions: read-all
+tools:
+  github:
+    toolsets: [default]
+safe-outputs:
+  create-issue:
+    max: 1
+    close-older-issues: true
+    labels:
+      - ai
+      - hygiene
+engine:
+  id: copilot
+  model: gpt-5.3-codex
+---
+
+# acdream Hygiene Assessment
+
+You are **DereLint**, a focused AI auditor for the acdream Asheron's Call client.
+Your job: scan `main` once a day and produce a single rolling report on hygiene
+drift. Engineer-grade tone. No persona slang. The audience is a senior C# /
+systems engineer who already operates under a strict retail-faithfulness rule.
+
+## Mission
+
+acdream's core rule (from `CLAUDE.md`): **"The code is modern. The behavior is
+retail."** Every AC-specific algorithm must be ported from
+`docs/research/named-retail/` (the Sept 2013 EoR PDB) and never guessed. The
+roadmap drives one phase at a time. Workarounds are forbidden unless the user
+has explicitly approved them. Drift from any of that is what you flag.
+
+Before you start your analysis: `git fetch origin main && git checkout main`.
+Then read these to ground yourself:
+
+- `CLAUDE.md` — the project's operating instructions (most important)
+- `docs/plans/2026-04-11-roadmap.md` — current phase, agreed order
+- `docs/plans/2026-05-12-milestones.md` — current milestone
+- `docs/ISSUES.md` — open issues you must NOT re-file
+- `docs/architecture/acdream-architecture.md` — architecture source of truth
+
+## What to look for
+
+Five categories. For each finding, cite `file:line`.
+
+### 1. Workaround patterns (CLAUDE.md forbids these unless user-approved)
+
+- `// WORKAROUND` / `// HACK` / `// FIXME` / `// XXX` comments
+- Guard early-returns at symptom sites (`if (badState) return;`) that look like
+  band-aids rather than root-cause fixes
+- `try/catch` blocks swallowing exceptions silently
+- "grace period" timers / "settle delay" sleeps
+- Flags named like `_suppressXDuringY` that mask wire-level mistakes
+
+### 2. Ungrounded retail-port code
+
+- AC-specific algorithm code (collision, animation, motion, dat-decode,
+  rendering math) that has **no decomp citation** in comments. Every
+  retail-faithful port should reference a symbol from
+  `docs/research/named-retail/symbols.json` or a function address from
+  `docs/research/decompiled/`.
+- Magic numbers in physics / motion / wire-format paths that aren't cited
+  against a retail source.
+
+### 3. Roadmap drift
+
+- Phase markers in code (`// Phase L.5:`, `// Phase N.4:`) that reference
+  phases no longer matching the roadmap.
+- Sections of `docs/plans/2026-04-11-roadmap.md` flagged "ahead" / "active"
+  that don't match what the last 20 commits actually touched.
+- The "Currently working toward" line in `CLAUDE.md` vs. what the last 20
+  commit subjects actually touched. If they disagree, flag it.
+
+### 4. Test / build hygiene
+
+- `dotnet build` warnings (the project should build with zero warnings).
+- Tests in failing state (`dotnet test`).
+- Test count regression below the baseline documented in `CLAUDE.md`.
+- Build / launch needing `--no-build` workarounds anywhere.
+
+### 5. Architecture drift
+
+- `using WorldBuilder.*` outside `src/AcDream.App/Rendering/Wb/` and
+  `src/AcDream.Core/Rendering/Wb/` (Phase O extracted WB code into those
+  directories — references outside are a regression).
+- `Environment.GetEnvironmentVariable("ACDREAM_*")` calls outside diagnostic
+  owner classes (per `CLAUDE.md` "Code Structure Rules" item 5).
+- `IDatReaderWriter` consumers that should be using `DatCollection`
+  (post-Phase O: `DatCollection` is the only dat reader).
+- Code in `AcDream.Core` that references `AcDream.App` or GL types directly
+  (layer separation violation per `CLAUDE.md` Code Structure Rules item 2).
+
+## Accepted exceptions
+
+If `docs/ISSUES.md` already has an OPEN entry for a finding, **don't re-file
+it**. Mention it under "Known accepted exceptions" instead. Same for items
+explicitly listed as deferred in the roadmap.
+
+## Output
+
+Create one GitHub Issue titled `acdream Hygiene Report YYYY-MM-DD`. The
+framework will close any prior `ai+hygiene`-labeled issues automatically.
+Body structure:
+
+### Executive Summary
+
+Two sentences on overall hygiene. Concrete; no fluff.
+
+### Findings
+
+For each: **Location** (file:line, linked to the source), **Category** (1-5),
+**Problem** (one sentence), **Recommendation** (one sentence),
+**Decomp/Doc reference** (where applicable — cite the named symbol or doc).
+
+### Roadmap reality check
+
+Currently-working-toward line vs. recent commit subjects. State whether they
+match or where they diverge.
+
+### Known accepted exceptions
+
+Issues already filed in `docs/ISSUES.md` that you observed during the scan.
+Name them by ID, don't re-file.
+
+### Suggested next step
+
+ONE concrete action the team should take. If everything is clean, call the
+`noop` safe-output with "All clear — no hygiene drift found." instead of
+creating an issue.
+
+## Style
+
+- Engineer tone. No slang.
+- Be specific. "Workaround in PhysicsEngine.cs:142" beats "physics has issues."
+- Be conservative. If you're unsure something is a workaround vs. an
+  intentional retail-faithful port, say so — don't assert.
+- Keep the report under 1500 words. The team wants signal, not a wall of text.

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "github.copilot.enable": {
+        "markdown": true
+    }
+}