feat(ci): make BM Bossbot a deterministic merge gate

[phernandez]

Summary

Two BM Bossbot fixes, both from today's incident review:

1. Unresolved review threads now block approval

PR #932 was merged with two unresolved Codex P2 review threads because nothing in the gate looks at review feedback: Bossbot's review prompt sees only metadata+diff, Codex connector reviews are COMMENTED-state (never flip reviewDecision), and the approval status is keyed to a head SHA with no re-evaluation when comments arrive.

• finalize now counts unresolved reviewThreads via GraphQL (paginated) and fails the BM Bossbot Approval status when any remain — even on an approve verdict.
• New recheck command + workflow job triggered by pull_request_review, pull_request_review_comment, and pull_request_review_thread events: new feedback flips the status to failure; resolving the last thread restores a previously earned approval for the same head SHA (approval history is read from commit statuses, so thread resolution alone can never upgrade a pending/failed review).
• Review and recheck use separate job-level concurrency groups so thread events can't cancel an in-flight review (workflow-level concurrency previously made cross-cancellation possible).

2. PR images depict the PR's content, not the review outcome

Every generated image was an "BM BOSSBOT APPROVED" stamp because the image prompt's only source material was the review summary block (verdict/status). The prompt now:

• sources the PR title + the author's own description (all managed bot blocks stripped) so the image expresses the theme of the whole change
• explicitly bans approval stamps, APPROVED/SUCCESS/verdict wording, badges, checkmarks, SHA strings, and Bossbot branding
• seeds auto-theme selection on PR number+title (stable across re-reviews)

The assets workflow step now passes --pr-title.

Test plan

• uv run pytest tests/scripts/ -q — 30 passed (new coverage: thread-blocking finalize, GraphQL pagination, all three recheck outcomes, approval-record matching, content extraction, verdict-free prompt)
• uv run ty check tests/scripts/ clean; workflow YAML validated

Refs #932

🤖 Generated with Claude Code

Reviewed SHA: 513fef79c5da67d7edc187329e66c17712b57103
Verdict: changes_requested
Status: failure - BM Bossbot requested changes

Summary:
Reviewed the provided diff. The deterministic gate direction is mostly coherent, but the automatic restore path for resolved review threads depends on an unsupported Actions trigger, so the required status can remain failed after all feedback is resolved.

Blocking findings:

• Thread-resolution recheck relies on a non-triggering Actions event: .github/workflows/bm-bossbot.yml:22 adds pull_request_review_thread with resolved/unresolved types, but GitHub Actions' documented trigger list includes pull_request_review and pull_request_review_comment, not pull_request_review_thread. Resolving the last review thread therefore will not automatically run the recheck job, leaving the required BM Bossbot Approval status failed until someone manually reruns Bossbot. Use a supported trigger or another deterministic polling/status refresh path for thread resolution before relying on this as a merge gate.

Non-blocking findings:

• CI-only quarantine weakens sync regression coverage: tests/sync/test_sync_service.py skips the circular-relations sync test under CI. The tracking note for Timing-sensitive tests exposed by faster test suite (post-#938): circular-relations batch indexing, mcp sse routing #940 helps, but this removes CI coverage for exactly the unresolved batch-indexing race until the root cause lands. Keep the quarantine short-lived and restore CI coverage with the fix.

[phernandez]

Superseded: BM Bossbot is being removed entirely (workflow disabled, required check dropped from the ruleset, files deleted via #945). The salvageable pieces of this branch — pytest-timeout and the #940 quarantine — are carried by #945.