Enable Branch Protection Rules on Master

[chrismaz11]

SOC 2 Blocker — CC6.1, CC8.1

Configure branch protection on master:

• Require pull request reviews (≥1 reviewer)
• Require status checks to pass (lint, typecheck, test, secret-scan, dependency-audit)
• Disallow force pushes and branch deletion
• Document the configuration in docs/github-settings-checklist.md

This is partially a repo-settings change, but Codex should update docs/github-settings-checklist.md with the expected configuration and evidence instructions.

[chrismaz11]

Branch protection is now enabled on master with required PR review, required conversation resolution, and the current required status checks (lint, typecheck, test, web-build, signed-receipt-smoke, rust-build, secret-scan, dependency-audit, verify-artifact-action).

The documentation update for this control is included in PR #67.