Implement label-driven bug fix workflow

[BenBtg]

Summary

Create an additional label-driven workflow for bug fix that follows the process discussed, extending the existing bug assessment flow. It should be independent of Spec Kit specifics so it can be reused by other open source projects.

Context

We already have a bug-assess workflow (.github/workflows/bug-assess.md → compiled bug-assess.lock.yml) that triggers on the bug-assess label, assesses a bug-labeled issue against the codebase, and posts the assessment back as an issue comment. The bug fix workflow is the second of three stages (assess → fix → test), each gated by a human applying a label.

Requirements

• Label-driven trigger: runs when a maintainer applies a bug-fix label to an issue (mirroring the bug-assess trigger pattern).
• Reuse the bug extension logic for generating the fix, but keep it decoupled from Spec Kit-specific logic so it's portable to other repos.
• Integrate with the assessment stage: consume the slug / assessment produced by bug-assess (e.g. reuse BUG_SLUG) so the fix builds on the prior stage.
• Human as gatekeeper: no full automation on public repos. The fix stage only runs after a maintainer deliberately applies the label.
• Safety mechanisms: authored as a markdown file compiled into a YAML (.lock.yml) workflow, with validation steps to prevent malicious actions, scoped permissions, and untrusted-input handling consistent with bug-assess.
• Post the proposed fix back to the relevant issue (comment and/or PR) for human review.

Acceptance criteria

• bug-fix markdown workflow added under .github/workflows/ and compiled to its .lock.yml.
• Triggered by applying the bug-fix label; gated so it only runs for that label.
• Generates a fix using shared bug logic, decoupled from Spec Kit specifics.
• Maintainer remains the gatekeeper; no unattended automation on public repos.
• Output (fix / PR / comment) posted back to the issue._