fix(ci): block agent PR title prefixes

[bokelley]

Adds a PR title check workflow that blocks leading bracketed agent or tool ownership prefixes on PR titles. The checker accepts normal conventional-commits titles and rejects variants like [codex], [Claude Code], and [cursor-bot]. This also documents the title hygiene rule in AGENTS.md so coding agents keep review-facing titles concrete. Validation: node title-check smoke cases and git diff --check.

[aao-ipr-bot]

LGTM. Closes the agent-prefix loophole on the review-facing surface. Fail-closed at the wire (PR title) beats relying on every adopter to police it by hand.

Things I checked

• scripts/check-pr-title.cjs:10 — regex ^\[([^\]]+)\](?:\s|:|-|$) correctly accepts fix(ci): summary / feat(types): foo (no leading bracket, no match) and rejects [codex] fix: x, [Claude Code] fix: x, [cursor-bot] fix: x (token split on non-alphanumeric, set lookup on claude/cursor/codex).
• Ticket-style prefixes pass: [INFRA-123] tokenizes to infra, 123 — neither in the agent set. [WIP], [RFC] also pass.
• .github/workflows/pr-title-check.yml:18-20 — PR_TITLE is read from github.event.pull_request.title into env, then quoted as "$PR_TITLE" on the node invocation. No shell-injection surface; title content stays inside a single argv slot.
• permissions: contents: read is the minimum needed for actions/checkout. No write scope leaked.
• AGENTS.md edit is additive — one new H2 section, no public-surface drift.

Follow-ups (non-blocking — file as issues)

• 'ai' is the broadest token in the set. scripts/check-pr-title.cjs:11 — [ai-team-review] or any bracketed prefix containing bare ai will reject. openai and aider are listed separately so ai is doing little extra work. Consider dropping it or narrowing to ai-bot/ai-agent.
• Trivial bypass: [claude]foo with no separator slips through. The regex requires \s|:|-|$ after ]. Dropping the lookahead (^\[([^\]]+)\]) closes it without affecting any real-world title shape.
• synchronize trigger is redundant. Title doesn't change on push-to-branch, so the check re-runs on every commit for no reason. [opened, edited, reopened] is sufficient.
• Discoverability beyond AGENTS.md. A line in CONTRIBUTING.md or .github/pull_request_template.md would surface the rule before CI fails, not after. Human contributors don't read AGENTS.md.
• Error message could name the matched token. Right now it prints the title and a generic example. Echoing the offending token (Detected agent/tool token \"claude\" in leading [bracket]) plus a link to AGENTS.md cuts the contributor's diagnosis time.
• Conventional-commit prefix nit. fix(ci): for a brand-new check is closer to feat(ci): — non-blocking, release-please will resolve either way.

Minor nits (non-blocking)

1. No unit test for the script. Three or four node -e assertions in tests/ (or a scripts/check-pr-title.test.cjs) would prevent silent regex regressions. The token list will grow.

Notable that the PR introducing the agent-prefix check uses a title prefix-free of the very pattern it's about to ban — the new rule passes its own check before it lands. Sign-off held the standard.

LGTM. Follow-ups noted.