Reviewer Routine hardening: per-merge audit comment + kill switch

[schmug]

Task

Two operational hardening changes to the reviewer Routine. (1) Audit trail: currently the gate verdict JSON is commented only on escalations; comment the full verdict on every AUTO-MERGED PR too, so each auto-merge has an immutable record of why the gate passed it. (2) Kill switch: before processing, the reviewer (and implementer) must check for a pipeline-paused label/flag and no-op if present, giving a fast documented stop without editing cloud Routine config.

Context

Auto-merged PRs get zero human eyes by design; without a per-PR gate-decision record, forensics after a bad merge are weak. And there is currently no fast pause if the implementer misbehaves. From the post-#306 gap review.

Pointers

• scripts/routine-pipeline/routine-reviewer.md — step 3c (auto-merge path; add verdict comment), add a step 0 pause check
• scripts/routine-pipeline/routine-implementer.md — add the same pause check at step 1
• scripts/routine-pipeline/setup-labels.sh — add a pipeline-paused label
• docs/routine-pipeline.md — document the kill switch

Constraints

• Pause check must be the first action; if paused, exit with a clear no-op message, mutate nothing.
• Verdict comment must include the full JSON (pass, reasons) for auditability.
• Idempotent; no change to the gate exit-code contract.

Acceptance criteria

• Every auto-merged PR has a comment containing the gate verdict JSON.
• With pipeline-paused present (repo label or pinned-issue flag), both Routines no-op and mutate nothing.
• setup-labels.sh creates pipeline-paused; docs/routine-pipeline.md documents pause/resume.

Out of scope

• Gate logic changes.
• Alerting on Routine infra failures (separate concern).