compliance-audit: detect stale required-check names in rulesets

[don-petry]

Problem

#89 added check_centralized_workflow_stubs which detects downstream repos whose Tier 1 workflow files are not v1 stubs. It does not detect downstream repos whose required-status-check rulesets still pin pre-centralization names like claude, AgentShield, etc.

Both petry-projects/markets and petry-projects/bmad-bgreat-suite had this drift today and the audit didn't catch it — it only surfaced when their PRs deadlocked at merge time.

Proposed check

Add check_centralized_check_names() to scripts/compliance-audit.sh:

For each repo, fetch the active required-status-checks rules (via gh api repos/<repo>/rules/branches/main and gh api repos/<repo>/branches/main/protection) and look for any stale name from this map:

declare -A STALE_CHECK_RENAMES=(
  ["claude"]="claude-code / claude"
  ["AgentShield"]="agent-shield / AgentShield"
  ["Detect ecosystems"]="dependency-audit / Detect ecosystems"
)

If the ruleset (or classic branch protection) contains a key from the LHS, emit a finding telling the agent which name to rename to. Should also flag when the list contains claude-code / claude itself (because that check is structurally broken — see workaround A below).

Related

• feat(workflows): centralize standards via reusable workflows #87, feat(workflows): pin reusable callers to @v1 and document tier model #88, feat(compliance-audit): detect non-stub centralized workflow copies #89 (centralization)
• Adopt centralized claude.yml stub (currently still inline) markets#79, Adopt centralized claude.yml stub (currently still inline) bmad-bgreat-suite#80 (claude.yml adoption blocked by App token validation — Workaround A is to NOT require claude-code / claude)

The check should also flag when claude-code / claude appears as a required check, because that's incompatible with workflow-modifying PRs and should be removed per Workaround A documented in those issues.