fix(b-18): writer-env-fix uses Project-Access-Token (PAT) instead of Bearer

[gHashTag]

B-18 · writer-env-fix.yml uses wrong auth mode for Railway PAT tokens

Diagnosis (R5-verified)

token-classify.yml run 25846091578 (2026-05-14 06:43 UTC) proved that ALL 7 RAILWAY_TOKEN_ACC1..7 secrets are project-access-tokens (PAT), not account/team tokens:

ACC1: PAT/projectToken: {"id":"f29aa9dd-ca0b-460f-ad24-c7680c6717fb","name":"IGLA RACE"} ✅
ACC2: PAT/projectToken: {"id":"ad0f8f04-c56d-4b11-9350-cc0c2700b9db","name":"IGLA"}      ✅
ACC3: PAT/projectToken: {"id":"475a2290-d990-426a-af57-594a934cf6f4","name":"robust-radiance"} ✅
ACC4..7: all valid PAT tokens — see run log

(Bearer/me → "Not Authorized" — expected behaviour for PAT.)

Root cause

writer-env-fix.yml sends Authorization: Bearer <token> with { projects { edges } } query — this combination requires an account/team token, returns data.projects.edges = null for PAT, sanity-check exits with code 3.

Why this PR

Aligns writer-env-fix.yml with the proven-working pattern from refresh-acc47.yml (last successful run 25754312720, 2026-05-12 18:31 UTC):

- -H "Authorization: Bearer $T"
+ -H "Project-Access-Token: $T"

- -d '{"query":"{ projects { edges { node { id name } } } }"}'
+ -d '{"query":"{ projectToken { project { id name } } }"}'

- RAILWAY_TOKEN_AUTH: team
+ RAILWAY_TOKEN_AUTH: project

Also references crates/trios-railway-core/src/transport.rs:

project sends Project-Access-Token: <token> and is required for project-scoped tokens (which is what the IGLA workspace token currently is).

Change scope (6 replacements)

1. Sanity-check tokens step — uses PAT header + projectToken query
2. resolve_env() helper — PAT header
3. fetch_services() helper — PAT header
4. upsert_var() helper — PAT header
5. redeploy() helper — PAT header
6. env.RAILWAY_TOKEN_AUTH: team → project (with R5 comment)

Verification plan (post-merge)

gh workflow run writer-env-fix.yml --repo gHashTag/trios-railway -f confirm=PHI
gh run watch  # expect "token ACC1 OK (PAT scope) / token ACC2 OK (PAT scope)"

Then within T+15min:

SELECT MAX(ts), EXTRACT(EPOCH FROM (NOW()-MAX(ts)))::int AS stale_sec
FROM ssot.bpb_samples WHERE canon_name LIKE 'IGLA-SHORT-WAVE-MATRIX-%';
-- expect stale_sec < 600

Why this matters

Writer service ssot.bpb_samples is dead since 2026-05-13T19:26:40Z (~10h 53m at time of writing). Doctor Layer-2 (PR #155) still draft. This fix is the last operator-mergeable unblock before the hive can self-heal.

Refs

• Closes B-17 P0 · RAILWAY_TOKEN_ACC1/ACC2 expired — ALL healer workflows blocked at Sanity-check tokens #158 (B-17, misdiagnosed as token-expiry; was actually wrong auth mode)
• B-12 B-12 · Stage-0d blind spot + wake-up-without-effect (gas-lighting workflow) #151 (gas-lighting — symptom of this bug)
• B-16 (Stage 2d "159 redeployed" claim — symptom of this bug)
• refresh-acc47.yml — proven-working PAT pattern
• crates/trios-railway-core/src/transport.rs — AuthMode::Project source of truth

Anchor: φ² + φ⁻² = 3 · TRINITY · NEVER STOP · DOI 10.5281/zenodo.19227877