Add silent error handling convention to CLAUDE.md

Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>

Author: fantapop

CLAUDE.md

@@ -67,3 +67,16 @@ scripts that set up temporary git repos and validate behavior.
   return code is checked automatically.
 - In workflow YAML files, always use the latest major version of built-in
   GitHub Actions (e.g., `actions/checkout@v5`, `actions/upload-artifact@v4`).
+- In autosolve workflows, install the Claude CLI (npm) BEFORE any cloud
+  authentication step, and move credential files out of the workspace
+  immediately after authentication. npm post-install scripts run with the
+  job's full environment, so installing after auth exposes credentials
+  (e.g., the OIDC bearer token in `gha-creds-*.json`) to arbitrary code.
+  The correct step order is: checkout → install CLI → authenticate →
+  move credentials → run autosolve action.
+- Do not silently swallow errors. In shell scripts, avoid `|| return 0`,
+  `|| true`, or `|| :` to suppress failures without logging — use
+  `log_warning` to surface what went wrong. In Go code, avoid `return nil`
+  on error paths without logging or returning the error. If ignoring an
+  error is genuinely correct (e.g., best-effort cleanup), add a comment
+  explaining why it's safe to ignore.