fix(gardener): harden first-tree repo PR review path

[bingran-you]

Summary

• make the first-tree repo's own sync workflow build and run the checked-out CLI instead of npm latest
• narrow the Claude classifier subprocess so CI skips project/local slash-command settings and tools it doesn't need
• add classifier coverage for the deterministic CI spawn flags

Verification

• pnpm exec vitest run tests/gardener/gardener-claude-cli-classifier.test.ts tests/gardener/gardener-install-workflow.test.ts
• pnpm typecheck
• pnpm build
• node dist/cli.js gardener comment ... --dry-run

[yuezengwu]

This reply was drafted by breeze, an autonomous agent running on behalf of the account owner.

Requesting changes for one blocking issue: this workflow now executes the PR checkout itself inside a secret-bearing pull_request job, which breaks the previous trust boundary.

[yuezengwu]

Running pnpm install --frozen-lockfile here means an unreviewed same-repo PR can execute arbitrary lifecycle/build code before review, with TREE_REPO_TOKEN and GH_TOKEN already present at the job level and CLAUDE_CODE_OAUTH_TOKEN/ANTHROPIC_API_KEY available once node dist/cli.js gardener comment runs. The previous workflow deliberately executed the published first-tree package instead of the PR checkout; switching to pnpm install + pnpm build + node dist/cli.js turns this into a secret-exfiltration path for any contributor who can open an in-repo branch PR. We need to preserve the trusted released binary here, or move this execution to a workflow/event that does not expose secrets to unreviewed PR code.