branch-protection: declarative policy + apply script (#89)

Branch protection on main, declared as code rather than as opaque
GitHub UI state. Pairs with the CODEOWNERS chassis (#88): once this
PR lands and an admin runs the apply script, every PR to main must
satisfy code-owner review and the listed required checks.

Components:

- .github/branch-protection.json — the policy. Edit this to change
  required checks, review counts, etc. Includes a _comment field for
  human readers; the apply script strips it before PUT.
- scripts/apply-branch-protection.sh — idempotent apply via `gh api`.
  Reads back current state for verification. Supports DRY_RUN=1.
- docs/branch-protection.md — explains the policy, how to apply, how
  to change, why declared as code.
- AGENTS.md topic-index row.

Policy summary:

- Required status checks (strict): Classify Changes, Check AGENTS.md
  Links, Test Workspace, Test omnigraph-server --features aws,
  CODEOWNERS / drift, CODEOWNERS / noedit.
- Required approving reviews: 1, must be a code owner.
- Dismiss stale reviews on new commits.
- Required linear history (squash or rebase merges only).
- No force pushes, no deletions, no admin bypasses.
- Required conversation resolution.

What's NOT in this PR:

- Required signed commits — not yet; maintainers must enroll GPG/SSH
  signing first or merges will block.
- Tag protection for v* tags — separate PR.
- Additional required checks (cargo deny, audit, fmt, clippy, CodeQL,
  schema-lint MR-946) — separate PRs as each lands.
- The script is NOT run by CI. Branch-protection changes are admin
  actions; CI-driven auto-apply would defeat the purpose. Manual
  invocation is the audit point.

How to apply after merge:

  ./scripts/apply-branch-protection.sh

Requires gh-CLI auth with repo-admin permissions.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/apply-branch-protection.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# Apply branch protection rules to the main branch.
+#
+# Requires:
+#   - `gh` CLI authenticated.
+#   - Repo-admin or org-admin permissions on ModernRelay/omnigraph.
+#
+# This script is idempotent: re-running applies whatever is currently
+# declared in .github/branch-protection.json. The JSON file is the
+# source of truth; this script is the apply mechanism.
+#
+# Usage:
+#   ./scripts/apply-branch-protection.sh                    # apply to main
+#   REPO=ModernRelay/omnigraph BRANCH=main ./scripts/...    # explicit
+#   DRY_RUN=1 ./scripts/apply-branch-protection.sh          # show what would apply
+
+set -euo pipefail
+
+REPO="${REPO:-ModernRelay/omnigraph}"
+BRANCH="${BRANCH:-main}"
+HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+POLICY_FILE="${POLICY_FILE:-$HERE/../.github/branch-protection.json}"
+
+if [ ! -f "$POLICY_FILE" ]; then
+    echo "error: policy file not found: $POLICY_FILE" >&2
+    exit 1
+fi
+
+# Strip the _comment field — the GitHub API rejects unknown keys.
+PAYLOAD="$(mktemp)"
+trap 'rm -f "$PAYLOAD"' EXIT
+jq 'del(._comment)' "$POLICY_FILE" > "$PAYLOAD"
+
+if [ "${DRY_RUN:-0}" = "1" ]; then
+    echo "DRY RUN — would apply to $REPO/$BRANCH:"
+    echo
+    cat "$PAYLOAD"
+    exit 0
+fi
+
+echo "Applying branch protection to $REPO/$BRANCH from $POLICY_FILE"
+gh api -X PUT "repos/$REPO/branches/$BRANCH/protection" \
+    --input "$PAYLOAD" \
+    -H "Accept: application/vnd.github+json" \
+    > /dev/null
+echo "OK"
+
+# Verify by reading back.
+echo
+echo "Current policy on $REPO/$BRANCH:"
+gh api "repos/$REPO/branches/$BRANCH/protection" \
+    --jq '{
+        required_status_checks: .required_status_checks.contexts,
+        strict_status_checks: .required_status_checks.strict,
+        required_approvals: .required_pull_request_reviews.required_approving_review_count,
+        require_code_owner_reviews: .required_pull_request_reviews.require_code_owner_reviews,
+        enforce_admins: .enforce_admins.enabled,
+        linear_history: .required_linear_history.enabled,
+        force_pushes_allowed: .allow_force_pushes.enabled,
+        deletions_allowed: .allow_deletions.enabled,
+        conversation_resolution_required: .required_conversation_resolution.enabled
+    }'