fix: Enable branch protection rulesets for .github and bmad-bgreat-suite

[claude]

Summary

• Adds scripts/setup-branch-protection.sh — creates/idempotently updates the pr-quality and code-quality rulesets on repos missing branch protection
• Updates standards/github-settings.md to document .github as a deviation and adds a "Remediating Missing Rulesets" section with usage instructions

Changes

scripts/setup-branch-protection.sh

New script that uses the GitHub Rulesets API to apply standard branch protection to .github and bmad-bgreat-suite:

• pr-quality: 1 required review, stale review dismissal, code owner review, last-push approval, thread resolution, squash-only, no force-push, no deletion
• code-quality (strict — branch must be up-to-date):
  • .github: Lint, ShellCheck, Agent Security Scan, SonarCloud, claude
  • bmad-bgreat-suite: SonarCloud, Analyze, claude

Supports --dry-run and is idempotent (updates existing rulesets rather than duplicating).

standards/github-settings.md

• Added .github to the compliance deviations table
• Added "Remediating Missing Rulesets" section with --dry-run and apply commands

After Merging

An admin runs:

# Preview first
DRY_RUN=true GH_TOKEN=<admin-pat> bash scripts/setup-branch-protection.sh --default

# Apply
GH_TOKEN=<admin-pat> bash scripts/setup-branch-protection.sh --default

Note: Verify that check names in the script match actual CI job names in bmad-bgreat-suite before applying.

Closes #28

Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Closing — superseded by #71 (apply-rulesets.sh with dynamic check detection). This PR's hardcoded per-repo check names are fragile compared to #71's approach. The standards deviation table update is also stale after repo settings were bulk-remediated.