Add shared credential-routing template and propagation tooling

Introduce credential-routing.template for Codex, Claude Code, Grok, and
llm-connect agents. Wire into agents-codex.template and claude-md.template.
Add propagate_credential_routing.py for surgical rollout without clobbering
repo-specific AGENTS.md extensions (REPO-AGENTS-EXTENSIONS marker).

scripts/update_agent_instruction_files.py

@@ -16,12 +16,34 @@ def fetch(path: str):
         return json.load(response)
 
 
+EXTENSION_MARKER = "<!-- REPO-AGENTS-EXTENSIONS -->"
+
+
 def render(template: str, values: dict[str, str]) -> str:
     for key, value in values.items():
         template = template.replace("{" + key + "}", value)
     return template
 
 
+def read_agents_extensions(agents_path: Path) -> str:
+    if not agents_path.exists():
+        return ""
+    text = agents_path.read_text(encoding="utf-8")
+    if EXTENSION_MARKER not in text:
+        return ""
+    return text.split(EXTENSION_MARKER, 1)[1]
+
+
+def build_agents_md(template: str, values: dict[str, str], extensions: str) -> str:
+    body = render(template, values)
+    if extensions.strip():
+        if EXTENSION_MARKER in body:
+            body = body.split(EXTENSION_MARKER, 1)[0] + EXTENSION_MARKER + extensions
+        else:
+            body = body.rstrip() + "\n\n" + EXTENSION_MARKER + extensions
+    return body
+
+
 def repo_topic_id(repo: dict, topics: list[dict]) -> str:
     if repo.get("topic_id"):
         return repo["topic_id"]
@@ -71,6 +93,9 @@ def main() -> None:
     agents_template = (TEMPLATE_DIR / "agents-codex.template").read_text(encoding="utf-8")
     claude_template = (TEMPLATE_DIR / "claude-md.template").read_text(encoding="utf-8")
     scope_template = (TEMPLATE_DIR / "scope.template").read_text(encoding="utf-8")
+    credential_routing_template = (
+        TEMPLATE_DIR / "credential-routing.template"
+    ).read_text(encoding="utf-8")
     rule_names = [
         "repo-identity",
         "session-protocol",
@@ -79,12 +104,22 @@ def main() -> None:
         "stack-and-commands",
         "architecture",
         "repo-boundary",
+        "credential-routing",
         "agents",
     ]
-    rule_templates = {
-        name: (TEMPLATE_DIR / f"{name}.template").read_text(encoding="utf-8")
-        for name in rule_names
-    }
+    rule_templates: dict[str, str] = {}
+    for name in rule_names:
+        if name == "credential-routing":
+            rule_templates[name] = (
+                "# Credential and access routing\n\n"
+                + credential_routing_template.lstrip().removeprefix(
+                    "## Credential and access routing\n\n"
+                )
+            )
+        else:
+            rule_templates[name] = (
+                TEMPLATE_DIR / f"{name}.template"
+            ).read_text(encoding="utf-8")
 
     updated: list[str] = []
     for repo in choose_repos(repos):
@@ -99,9 +134,21 @@ def main() -> None:
             "TOPIC_ID": repo_topic_id(repo, topics),
             "REPO_SLUG": repo_slug,
             "WP_PREFIX": wp_prefix(repo_slug),
+            "CREDENTIAL_ROUTING": render(credential_routing_template, {
+                "PROJECT_NAME": project_name,
+                "PROJECT_DESCRIPTION": description,
+                "DOMAIN": repo.get("domain_slug") or "",
+                "TOPIC_ID": repo_topic_id(repo, topics),
+                "REPO_SLUG": repo_slug,
+                "WP_PREFIX": wp_prefix(repo_slug),
+            }),
         }
 
-        (path / "AGENTS.md").write_text(render(agents_template, values), encoding="utf-8")
+        agents_path = path / "AGENTS.md"
+        extensions = read_agents_extensions(agents_path)
+        agents_path.write_text(
+            build_agents_md(agents_template, values, extensions), encoding="utf-8"
+        )
         (path / "CLAUDE.md").write_text(render(claude_template, values), encoding="utf-8")
         scope_path = path / "SCOPE.md"
         if not scope_path.exists():