feat(coverage-floor): add extras: input for selective extras install

[topcoder1]

Summary

Adds an extras: input to the coverage-floor reusable workflow, letting Python callers control which [project.optional-dependencies] extras get installed before pytest-cov runs.

Value	Behavior
"all" (default)	uv sync --all-extras — preserves prior behavior
"none"	uv sync with no extras
"dev,api,model" (comma list)	uv sync --extra dev --extra api --extra model

Motivation — burn 2026-05-19 (whois-api-llc/wxa_webcat)

Coverage Floor has been silently failing on every webcat PR since at least #379 (8 consecutive failures, 6 days). Detected during the autonomous-agent-team calibration runs (#385, #387 both auto-merged with this check red — it's non-required).

Root cause discovered after deep diagnosis:

• Webcat's pyproject.toml declares crawl = ["webcrawl @ git+https://github.com/topcoder1/webcrawl.git"]
• uv sync --quiet --all-extras triggers git clone topcoder1/webcrawl
• AUTOMERGE_PAT (the secret forwarded to the reusable for the seed-PR flow) does not have read scope on topcoder1/webcrawl
• The Configure git for cross-org clones step successfully rewrites the URL with token auth (no error), but the actual fetch returns 404, killing uv sync in 0 seconds
• Workflow exits before pytest, before measurement, before floor comparison — entirely opaque to the existing diagnostics

Why this approach over alternatives

Alternative	Tradeoff
Broaden AUTOMERGE_PAT scope	Fleet-wide PAT credential sprawl; every new cross-org dep on any repo expands a power-user secret
Add a separate CROSS_ORG_READ_PAT secret	Extra credential to provision + rotate per affected repo
Restructure pyproject.toml (move webcrawl out of extras)	Changes how webcrawl is consumed in real environments, not just CI
This PR — caller-controlled extras	Caller declares intent explicitly; zero new credentials; generalizes to any future cross-org-dep repo

Backward compatibility

• Default "all" reproduces --all-extras behavior verbatim.
• All 44 existing callers in the fleet work unchanged (no caller modification needed unless they want the new behavior).
• Self-test on this repo: unaffected (no extras involved; default branch).

Test plan

• YAML syntax validates (python3 -c "import yaml; yaml.safe_load(open('.github/workflows/coverage-floor.yml'))")
• Self-test on this PR will exercise the default "all" code path — should remain green
• After merge: follow-up caller PR on whois-api-llc/wxa_webcat will pass extras: "dev,api,model,data,headless" and validate the comma-list code path end-to-end
• After webcat caller PR lands green: floor reset to ~80% (real measured value) + add coverage-floor / Measure coverage and enforce floor to required-status-checks

Follow-ups (separate PRs, NOT this one)

1. topcoder1/dotclaude — update callers/coverage-floor.yml template with a commented extras: example
2. whois-api-llc/wxa_webcat — caller-side PR using extras: "dev,api,model,data,headless"
3. Optional later: graceful-degradation on cross-org clone failure (catch + retry without offending extra + warn). Deferred — explicit caller control is the safer default; graceful degradation adds complexity for an edge case.

Auto-merge rationale

Reusable workflow change with input default preserving current behavior. Touches .github/workflows/coverage-floor.yml (workflow file — high-risk path under claude-author-automerge.yml rules), so this is manual-click merge required, not auto-merge. Recommend reviewing the input naming, YAML structure, and bash escaping before clicking.

Codex pre-review

Recommended before merge — this is a reusable workflow consumed by 44 fleet repos. Codex should specifically check:

• Bash array expansion safety in the comma-list branch (IFS=',', read -ra, quoted expansion of \"\${EXTRA_FLAGS[@]}\")
• YAML scalar handling on the multi-line input description
• Whether extras: "" (empty) should be treated as "all" (current behavior) or "none" (current behavior also routes empty to "none" via the case fallthrough — fine either way)

HUMAN_READABLE_SUMMARY

Coverage Floor reusable now accepts an extras: input letting callers skip Python extras that contain cross-org git deps. Default behavior unchanged for all 44 existing callers. Fixes a 6-day silent gate failure on webcat caused by --all-extras trying to clone topcoder1/webcrawl without sufficient PAT scope.

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

[github-actions]

Coverage Floor — mode: enforce

metric	value
measured	100.0%
floor (current)	99.0%
target	100.0%
last bumped	2026-05-12

[claude]

No issues found. Bash array expansion, IFS scoping, and env-var injection surface all check out; the unreachable empty-string case arm and xargs trimming are minor but not bugs given PEP 508 extra-name constraints.