chore(wheelhouse): cascade template@ac368a9b

Auto-applied by socket-wheelhouse sync-scaffolding into cascade-socket-bin-75697.
3 file(s) touched:
  - .claude/hooks/fleet/gh-token-hygiene-guard/index.mts
  - .claude/skills/agent-ci/SKILL.md
  - .claude/skills/agent-ci/reference.md

Author: jdalton

.claude/hooks/fleet/gh-token-hygiene-guard/index.mts

@@ -635,7 +635,26 @@ function platformAuthGuidance(): readonly string[] {
     ]
   }
   if (process.platform === 'darwin') {
+    const noTty = !process.stdin.isTTY
     const osBlocked = isOsascriptBlocked()
+    const ttyNote = noTty
+      ? [
+          'This shell has no controlling TTY, so the Touch ID prompt',
+          "can't surface — `sudo` needs an interactive parent to ask",
+          'for the biometric confirmation. Common cause: running via',
+          "a tool that spawns subprocesses without `-it` (Claude Code's",
+          'Bash tool, CI runners, headless scripts).',
+          '',
+          'Workaround: run the gh refresh from your own terminal:',
+          '',
+          '  gh auth refresh -h github.com -s workflow',
+          '',
+          'Touch the sensor when prompted. The session-bound grant',
+          'will land at ~/.claude/gh-workflow-grant; the next workflow',
+          'dispatch in this Claude session will then pass through.',
+          '',
+        ]
+      : []
     const mdmNote = osBlocked
       ? [
           'An MDM (iru / Jamf / Mosyle / Kandji) is intercepting',
@@ -645,6 +664,7 @@ function platformAuthGuidance(): readonly string[] {
         ]
       : []
     return [
+      ...ttyNote,
       ...mdmNote,
       'Enable Touch ID for sudo (copy-paste verbatim — `EOF` MUST be',
       'at column 0, no leading whitespace, or the heredoc will hang):',

.claude/skills/agent-ci/SKILL.md

@@ -0,0 +1,39 @@
+---
+name: agent-ci
+description: Run this repo's GitHub Actions workflows locally in Docker with Agent CI to validate changes before pushing. Use before opening or updating a PR, after editing a workflow YAML under .github/workflows, or whenever catching a CI failure locally beats waiting on a remote runner.
+user-invocable: true
+allowed-tools: Bash, Read, Edit
+---
+
+# agent-ci
+
+Run the repo's CI pipeline locally before pushing. CI was green before you started, so any failure the local run surfaces comes from your changes.
+
+RedwoodJS wrote the upstream tool and skill (MIT, https://github.com/redwoodjs/agent-ci). The fleet pins `@redwoodjs/agent-ci` in the wheelhouse catalog and runs it through `pnpm exec`, never `npx`. Edit only in `socket-wheelhouse/template/`; the cascade refreshes downstream copies.
+
+## Requirements
+
+- **Docker must be running** — each job runs in a container. No daemon means the run can't start; fall back to the `greening-ci` skill or remote CI.
+- **The dep is already installed** — `@redwoodjs/agent-ci` is a fleet devDependency (`catalog:`), provisioned by `pnpm install`.
+
+## Run
+
+```bash
+pnpm exec agent-ci run --quiet --all --pause-on-failure
+```
+
+`--all` runs the PR/push workflows for the current branch. `--pause-on-failure` stops at the first failed step and holds the container open for `retry`. Pipes are safe: when stdout is not a TTY the launcher detaches and the foreground process exits **77** the moment a step pauses, so `| tee log` and `> log.txt` work.
+
+## Fix and retry
+
+When a step fails the run pauses. Fix the code, then retry the paused runner — don't restart the whole pipeline:
+
+```bash
+pnpm exec agent-ci retry --name <runner-name>
+```
+
+Re-run from an earlier step with `--from-step <N>`. Repeat fix → retry until every job passes. Don't push to trigger remote CI when agent-ci can run it locally.
+
+## Reference
+
+- **Machine-readable `--json` event stream, the full requirements rationale, and the agent-ci-vs-remote-CI decision matrix**: see [reference.md](reference.md).

.claude/skills/agent-ci/reference.md

@@ -0,0 +1,55 @@
+# agent-ci reference
+
+## Contents
+
+- Machine-readable output (`--json`)
+- The exit-77 pause contract
+- Requirements rationale (Docker, install)
+- When to use agent-ci vs. remote CI
+- Command summary
+
+## Machine-readable output (`--json`)
+
+Add `--json` (or set `AGENT_CI_JSON=1`) to emit an NDJSON event stream on stdout — one JSON object per line. Use it for programmatic monitoring instead of grepping plaintext.
+
+Events:
+
+- `run.start` — carries `schemaVersion: 1` and `runId`.
+- `job.start`, `job.finish` — `status: passed | failed`.
+- `step.start`, `step.finish` — `status: passed | failed | skipped`.
+- `run.paused` — carries `runner` and `retry_cmd` (the exact command to resume).
+- `run.finish` — `status: passed | failed`.
+- `diagnostic` — non-fatal notices.
+
+`--json` is independent of `--quiet`. The diff renderer is auto-suppressed under `--json` so ANSI escapes don't collide with the stream.
+
+The robust agent loop: parse the stream, react to `run.paused` (fix the failure named in `runner`), then run the `retry_cmd` it carries. No plaintext parsing required.
+
+## The exit-77 pause contract
+
+When stdout is not a TTY (piped, redirected, captured by a parent process), the launcher detaches the run. The foreground process exits **77** the instant a step pauses. This frees the pipe — `| tee`, `> log.txt`, command substitution — while the container stays paused in the background, ready for `retry`. Exit 77 means "paused, awaiting retry," not "failed."
+
+## Requirements rationale
+
+- **Docker.** agent-ci executes each workflow job inside a container, the same way GitHub's runners do. Without a running Docker daemon the run cannot start. There is no degraded mode; use `greening-ci` (push and watch remote CI) instead.
+- **Install.** `@redwoodjs/agent-ci` is a fleet devDependency declared as `catalog:` in every repo's `package.json`, pinned in the wheelhouse `pnpm-workspace.yaml` catalog. `pnpm install` provisions it. The published package is a self-contained Node CLI (`dist/cli.js`) — it has no platform-binary dependencies and its `ssh2` native build scripts are declined in the fleet's `allowBuilds`/`allowScripts` (the CLI runs without them).
+
+## When to use agent-ci vs. remote CI
+
+| Situation | Use |
+| --- | --- |
+| Edited a workflow YAML (`.github/workflows/*.yml`) | agent-ci first — a malformed workflow fails the same locally and remotely, skipping the push/wait loop. |
+| Code change that only needs lint / typecheck / unit tests | `pnpm run check --all` — faster than spinning up containers for the pure-Node gates. |
+| Workflow does something the local scripts don't (matrix, container steps, action wiring, secrets-shaped env) | agent-ci. |
+| No Docker, or the failure needs an off-machine action (a deploy, a remote service) | push and use `greening-ci`. |
+
+## Command summary
+
+| Command | Purpose |
+| --- | --- |
+| `pnpm exec agent-ci run --all --pause-on-failure` | Run the branch's PR/push workflows; pause on first failure. |
+| `pnpm exec agent-ci run --workflow <path>` | Run a single workflow file. |
+| `pnpm exec agent-ci retry --name <runner>` | Resume a paused runner after a fix. |
+| `pnpm exec agent-ci retry --name <runner> --from-step <N>` | Resume from an earlier step. |
+
+Add `--quiet` to suppress the live renderer, `--json` for the NDJSON stream.