feat: PII protection guidance, Workshop Operations org pattern, and CI/mirror improvements

[devin-ai-integration]

Summary

Adds comprehensive PII/author scrubbing guidance and the Workshop Operations Devin org pattern to the operator repo.

Changes

1. Improved CI workflow (.github/workflows/pr-pii-check.yml):

• Now triggers on pull_request: [opened, edited, synchronize] (added edited)
• Now triggers on issue_comment: [created, edited] (covers regular PR thread comments)
• Framed as a reference implementation that can optionally be deployed to repos

2. Mirror script — opt-in PII check deployment (scripts/mirror-github-org.sh):

• Added --deploy-pii-check / --no-deploy-pii-check flags
• When enabled, copies the reference pr-pii-check.yml workflow into each mirrored repo's default branch
• Works alongside the existing --strip-workflows flag

3. Commit authorship guidance (README §1.6):

• Documents how to create a Knowledge note ensuring Devin always commits as devin-ai-integration[bot]
• Includes both webapp and v3 API approaches

4. Workshop Operations Devin Org (new README section):

• Documents the pattern: every customer enterprise creates a long-lived "Workshop Operations" org
• Org hosts recurring schedules (weekly PII scrub) and one-time event schedules (ACU zeroing)
• Requires an org secret with the enterprise service user key
• Shows how to create schedules via v3 Schedules API, Devin webapp, and MCP (devin_schedule_manage)

5. End-of-event ACU zeroing:

• Documents using MCP to schedule a one-time session that sets max_cycle_acu_limit to 0

6. Updated architecture diagram to include the Workshop Operations org

Removed: scripts/create-pii-scrub-schedule.sh — replaced with direct v3 API / MCP documentation (avoids wrapping what the API already provides)

Review & Testing Checklist for Human

• Verify --deploy-pii-check flag logic in mirror-github-org.sh works with both --strip-workflows (default) and --no-strip-workflows paths
• Confirm the Workshop Operations org setup instructions match your enterprise's desired pattern (org name, ACU limits, secret naming)
• Review the MCP-based scheduling guidance for ACU zeroing — confirm this matches how you want operators to manage event lifecycle
• Validate the architecture diagram renders correctly in GitHub markdown

Notes

• The CI workflow is now opt-in during mirroring (default off) since it applies to Cognition-Partner-Workshops repos broadly
• deploy-pr-pii-check.sh remains as a standalone tool for deploying to existing repos that weren't mirrored with the flag
• Scheduling is documented using the native v3 Schedules API rather than a custom wrapper script

Link to Devin session: https://partner-workshops.devinenterprise.com/sessions/9aa814bde24049e3b8550d6842c31100
Requested by: @bsmitches

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.