diff --git a/.github/workflows/ceo-audit.yml b/.github/workflows/ceo-audit.yml
index 0b723de..f0d09d4 100644
--- a/.github/workflows/ceo-audit.yml
+++ b/.github/workflows/ceo-audit.yml
@@ -172,12 +172,23 @@ jobs:
         env:
           PYTHONPATH: ${{ github.workspace }}/infra/skills/ceo-audit/lib
           SIN_GITHUB_APP_CLIENT_ID: Iv23livllaHIBTdQdyhY
+          # Pass through the built-in GITHUB_TOKEN (always present in CI).
+          # Will be used as fallback if SIN_GITHUB_INSTALLATION_TOKEN is unset.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # post_audit_pr.py lives in the cloned Infra repo (see 'Install ceo-audit skill' step)
+          # score.json is written by audit.sh to ~/ceo-audits/<repo>-ceo-audit-<runid>/score.json
+          # We search both ceo-audit-output/ and ~/ceo-audits/ to be robust.
+          SCORE_FILE=$(find $HOME/ceo-audits ceo-audit-output -name 'score.json' 2>/dev/null | head -1)
+          if [ -z "$SCORE_FILE" ]; then
+            echo "::warning::No score.json found — skipping App commenter (Action comment above still posts)"
+            exit 0
+          fi
+          echo "Using score.json: $SCORE_FILE"
           python3 ${{ github.workspace }}/infra/skills/ceo-audit/scripts/post_audit_pr.py \
             --repo ${{ github.repository }} \
             --pr ${{ github.event.pull_request.number }} \
-            --score-json ceo-audit-output/score.json \
+            --score-json "$SCORE_FILE" \
             --artifact-url ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} \
             --run-id ${{ github.run_id }}
 
diff --git a/README.md b/README.md
index 412c1f0..56bb88c 100644
--- a/README.md
+++ b/README.md
@@ -197,3 +197,4 @@ sin sin-code agents-md --output AGENTS.md
 ## License
 
 MIT — see [LICENSE](./LICENSE).
+# Test change