fix(claude-automerge): catch oauth2/* and main.go in risk-tier globs

.github/workflows/claude-author-automerge.yml

@@ -9,10 +9,17 @@ name: Claude-author Auto-merge (reusable)
 #     repo-specific block path without us having to keep a parallel regex).
 #
 #  2. Touching any risk-tier path category from the global CLAUDE.md policy:
-#     - auth / login / session / oauth / sso
+#     - auth / login / session / oauth / oauth2 / sso
 #     - secrets / env files / keychain / credentials
 #     - DB migrations / SQL files
 #     - billing / payment / pricing / invoice
+#     - Go service entrypoints (main.go at any depth — wires routes,
+#       middleware, secrets loading, DB init; touching it can change
+#       auth or transport behavior. Lesson 2026-05-24 from
+#       whois-api-llc/wxa-mcp-server#193 + #197 where Claude PRs
+#       modifying main.go + internal/oauth2/ auto-merged because the
+#       `oauth` alternation didn't catch `oauth2` and main.go had no
+#       pattern at all.)
 #     - production infra: Dockerfile, docker-compose, .github/workflows,
 #       .github/risk-paths.yml, .github/CODEOWNERS, infra/iam/, infra
 #       subdirs (deploy/terraform/pulumi/k8s/cloudformation/ansible/
@@ -252,14 +259,15 @@ jobs:
           # Risk-tier glob patterns (kept in sync with global CLAUDE.md policy).
           # If you add a category, also update install-automerge-policy.sh and
           # the CLAUDE.md policy block.
-          patterns='^(.*/)?(auth|login|session|oauth|sso)(/|$)
+          patterns='^(.*/)?(auth|login|session|oauth|oauth2|sso)(/|$)
           ^(.*/)?secrets(/|$)
           ^(.*/)?\.env($|\..*)
           ^(.*/)?keychain.*
           ^(.*/)?credentials.*
           ^(.*/)?migrations(/|$)
           .*\.sql$
           ^(.*/)?(billing|payment[s]?|pricing|invoice[s]?)(/|$)
+          (^|/)main\.go$
           (^|/)Dockerfile(\..*)?$
           ^docker-compose.*\.ya?ml$
           ^\.github/workflows/.*

selftest/test_automerge_risk_patterns.sh

@@ -12,14 +12,15 @@ set -euo pipefail
 
 # Mirror the patterns block from .github/workflows/claude-author-automerge.yml.
 # Keep these in lock-step — if you edit one, edit the other.
-patterns='^(.*/)?(auth|login|session|oauth|sso)(/|$)
+patterns='^(.*/)?(auth|login|session|oauth|oauth2|sso)(/|$)
 ^(.*/)?secrets(/|$)
 ^(.*/)?\.env($|\..*)
 ^(.*/)?keychain.*
 ^(.*/)?credentials.*
 ^(.*/)?migrations(/|$)
 .*\.sql$
 ^(.*/)?(billing|payment[s]?|pricing|invoice[s]?)(/|$)
+(^|/)main\.go$
 (^|/)Dockerfile(\..*)?$
 ^docker-compose.*\.ya?ml$
 ^\.github/workflows/.*
@@ -52,6 +53,13 @@ matches() {
 # Cases the regex MUST flag as risky (manual click-merge).
 RISKY=(
   "src/auth/login.py"
+  "internal/auth/security.go"            # auth segment, Go layout
+  "internal/oauth2/server.go"            # oauth2 alternation — wxa-mcp-server#193/#197 gap (2026-05-24)
+  "internal/oauth2/handler.go"
+  "pkg/oauth2/token.go"
+  "main.go"                              # Go entrypoint at root — wxa-mcp-server#193 gap
+  "cmd/server/main.go"                   # Go entrypoint under cmd/
+  "cmd/wxa-mcp-server/main.go"
   "secrets/api-keys.json"
   ".env.production"
   "src/keychain_helpers.py"
@@ -92,6 +100,11 @@ SAFE=(
   "src/wxa_vpn/api/routes.py"
   "tests/test_anything.py"
   "docs/data-dictionary.md"
+  "main_test.go"                         # adjacent to main.go but a test file
+  "internal/foo/main_test.go"
+  "internal/oauth2.md"                   # doc file mentioning oauth2 — pattern needs trailing / or end
+  "cmd/server/mainview.go"               # starts with "main" but not the literal main.go
+  "src/oauth2helper.go"                  # oauth2 substring but not a path segment
   "scripts/run_analysis.py"
   "infra/crontabs/wxa-scanner.crontab"   # cron schedule — wxa_vpn#439 case
   "infra/crontabs/wxa-scanner-active.crontab"