feat: add ci-mx custom agent for deterministic CI failure resolution

Adds .github/agents/ci-mx.md, a custom Copilot agent (invocable from
PR comments to @copilot, the GitHub Agents tab, and Copilot CLI
sub-agent calls) that resolves CI failures in two narrowly-scoped
workflows: govulncheck.yaml and baseimages.yaml.

Design properties:

- Two operating modes: diagnose (read-only triage, default) and fix.
  Inferred from invocation language.
- Workflow-scoped Discovery with per-failure applicability inference:
  reads the failing workflow's repo-wide state, then reads the target
  branch's actual contents (go.mod, go.sum, render-input tree SHAs)
  via gh api to decide whether the failure applies. No reliance on
  recent branch-scoped runs or nightly triggers.
- Five canonical STOP categories (out-of-scope, unfixable,
  cannot-publish, env-broken, input-invalid) with reason text.
- Never commits to the source PR. Opens a separate ci-mx-owned fix
  PR on a fresh branch, cross-linked from the source PR. Isolated
  worktree at the failing run's exact head SHA (no force-push hazard).
- Strict edit allowlist: go.mod / go.sum / vendor/** for govulncheck;
  only files make dockerfiles rewrites for baseimages. Never workflow
  YAML, Makefile, matrix, Dockerfile templates, or Go toolchain.
- Directive guards: go get / tidy that bumps go or toolchain
  directive triggers stop:out-of-scope.
- Allowlist-explicit git add per touched module + clean-tree handoff
  between playbooks (BPF go generate outputs never reach commits).
- Conventional-commits PR titles (ci: <description> [(release/vX.Y)])
  + always-on labels (ci, Agent-Generated, +dependencies for
  govulncheck). Component labels left to human reviewers.
- Duplicate-detection at fix-PR creation: open ci-mx fix PRs targeting
  the same branch trigger a first-encounter STOP that surfaces three
  resolution options (supersede, update, defer) in the assistant
  response, on the existing fix PR, and on the source PR.
- Cleanup snippet runs at every STOP and on the success path
  (releases worktree + local branch ref).

Validation during authoring:

- Three rubber-duck critique rounds folded into the design.
- Four review findings from copilot-pull-request-reviewer[bot] fixed
  (per-workflow run-ID disambiguation, dropped unsafe PR-headRefOid
  fallback, allowlist-explicit staging, govulncheck version pinning).
- Two PoC iterations against master / release/v1.7 / release/v1.6:
  - Diagnose mode confirmed correct classification across branches,
    including suppressing modules that don't exist on release branches
    via does-not-apply, and STOP:unfixable for non-vuln BPF build
    failures.
  - Fix mode opened three draft PRs (#4442, #4443, #4444) with valid
    baseimages re-renders against the three release trains; govulncheck
    correctly skipped per the all-or-nothing matrix rule when stdlib
    STOPs were present.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jpayne3506