gh-protectlisted

# gh-protect Standalone GitHub protection management. Wraps `bin/gh-integration.sh` in two modes: `--check` (read-only audit) and apply (write). Lets users manage branch protection, tag rulesets, signing requirements, and repo-level merge settings independently of bootstrap or doctor. ## 1. Pre-flight Guard on `gh`: ``` command -v gh && gh auth status ``` If either fails, tell the user `gh` is required for this skill and stop. Unlike other skills that soft-skip, protection management has no useful fallback without `gh`. ## 2. Resolve profile Load the active profile via `bin/load-profile.sh <name>` (resolves preferences → CLAUDE.md markers → `"default"` fallback). If the user names a specific profile, use that instead. ## 3. Audit first (always) Run the read-only check regardless of whether the user asked to audit or apply — the delta informs what apply would change: ``` bin/gh-integration.sh --target <cwd> --profile <name> --check ``` Output conforms to `schemas/protection-audit.schema.json`. Show the user a summary table: | Area | Expected | Actual | Drift | |---|---|---|---| | Branch protection (`branches[]`) | from profile | from GitHub API | critical / warn / ok | | Tag rulesets | `.github.tag_protection_pattern` | GitHub Rulesets API | critical / warn / ok | | CODEOWNERS gate | `.github.require_code_owner_reviews` | branch protection | critical / warn / ok | | Signing | `.github.require_signed_commits/tags` | branch protection + local git config | critical / w