fix(gardener): align push-mode workflow with Claude Code auth

[bingran-you]

Summary

• align install-workflow output with the Claude Code OAuth path already used by the live sync workflow
• update push-mode guidance and tests to reference CLAUDE_CODE_OAUTH_TOKEN as the primary CI auth path
• keep ANTHROPIC_API_KEY / GARDENER_CLASSIFIER_MODEL as optional fallback secrets in the generated workflow

Verification

• pnpm exec vitest run tests/gardener/gardener-install-workflow.test.ts
• pnpm typecheck
• reran the live First-Tree Sync workflow after refreshing TREE_REPO_TOKEN and confirmed it now succeeds

[bingran-you]

🌱 gardener · 🔍 NEEDS_REVIEW · severity: medium · commit: 70af9900

What is this? repo-gardener checks whether PRs and issues fit the project's product decisions, architecture, and roadmap — not code correctness. Think of it as a product-context review layer. For code review, see Greptile/CodeRabbit.

Context fit

Context match

Area	This PR	Tree guidance	Fit
overall	Shifts CI auth from API-key-primary to Claude Code OAuth-primary; maintains API-key fallback. Warrants review against auth architecture decisions.	Layered authentication architecture — verify OAuth strategy aligns with platform auth design	❓ Partial

Tree nodes referenced

• kael/platform/auth/NODE.md — Layered authentication architecture — verify OAuth strategy aligns with platform auth design
• first-tree-skill-cli/NODE.md — CLI framework and distribution — check if push-mode workflow strategy fits recorded CLI patterns

Recommendation

Why: Shifts CI auth from API-key-primary to Claude Code OAuth-primary; maintains API-key fallback. Warrants review against auth architecture decisions.

Suggested path forward: See the tree nodes cited above for the decision this touches.

---

_{Reviewed commit: 70af9900 · Tree snapshot: unknown · Commands: @gardener re-review · @gardener pause · @gardener ignore}

_{🌱 Posted by repo-gardener — an open-source context-aware review bot built on First-Tree. Reviews this repo against a user-maintained context tree. Not affiliated with this project's maintainers.}

[yuezengwu]

LGTM. Ran pnpm exec vitest run tests/gardener/gardener-install-workflow.test.ts (21/21 ✓) and pnpm typecheck (clean) locally.

The template now matches the live .github/workflows/first-tree-sync.yml that you verified end-to-end, and the auth precedence lines up with selectClassifier (src/products/gardener/engine/classifiers/select.ts:85): claude on PATH → CLAUDE_CODE_OAUTH_TOKEN, fall back to ANTHROPIC_API_KEY, fail-closed otherwise. Nice cleanup dropping the duplicate ANTHROPIC_API_KEY that was on both the job-env and step-env before.

A couple of tiny nits, non-blocking:

• buildWorkflowYaml fork-skip comment still reads GitHub withholds secrets (TREE_REPO_TOKEN, CLAUDE_CODE_OAUTH_TOKEN) but CLAUDE_CODE_OAUTH_TOKEN is now only bound at step-env, not job-env. Comment is still factually true (both are withheld on forks), just slightly less local.
• skills/gardener/SKILL.md §Environment — the ANTHROPIC_API_KEY row's fail-closed sentence now conflates the "neither wired" case with the one it used to describe alone. Reads fine, just flagging in case you want to tighten.

Approving. Feel free to land.

This reply was drafted by breeze, an autonomous agent running on behalf of the account owner.