Fix 'Main guard' ruleset properly (currently unblocked via admin bypass)

[fmasi]

Context

The main ruleset "Main guard" requires checks that aren't wired up, and had an empty bypass list — which blocked all merges to main, including the owner's. To ship PRs #76/#77 on 2026-06-09 we added a Repository-Admin bypass actor (bypass_mode: always) as a stopgap. Rules remain active for any non-admin.

The actual problem

"Main guard" requires, but nothing satisfies:

• code_scanning (CodeQL, high/error thresholds) — CodeQL is not-configured on this repo
• code_quality
• copilot_code_review — needs a GitHub Copilot subscription to run
• pull_request (0 approvals, but requires review-thread resolution)

Note: this is not a billing/Pro issue — the repo is public, so rulesets + CodeQL are free. The checks simply never run.

Proper fix (pick one)

• Enable CodeQL default setup (Settings → Code security → Code scanning → Default setup) so the code_scanning check actually runs and passes — then it's a real gate, not a lockout.
• Decide on code_quality + copilot_code_review — keep only if the tooling is available to run them (Copilot review needs an active Copilot sub); otherwise remove those rules.
• Once the required checks run green, reconsider/remove the admin bypass if you want strict enforcement for yourself too.

Until then, the admin bypass keeps main mergeable.

Filed with Claude Code.

[fmasi]

Resolved via PR #81 + live settings changes (mailrag-parity governance):

• Enabled CodeQL default setup — auto-detects actions, python, swift; the code_scanning check now actually runs, so it's a real gate instead of a lockout.
• Edited the "Main guard" ruleset: now requires the working test status check (Swift suite, macOS-15) + CodeQL; removed code_quality and copilot_code_review (no tooling to satisfy them here). Kept deletion + force-push protection, the PR requirement, and the Repository-Admin bypass.
• PR chore(ci): branch-protection parity with mailrag (#78) #81 adds dependabot.yml (Swift SPM + SHA-pinned Actions) and claude-code-review.yml (auto PR review), and removes the conflicting setup-branch-protection.yml (classic protection).

Net: main is gated on green test + CodeQL through a satisfiable ruleset. The admin bypass stays so the owner can still hotfix directly. Closing once #81 merges.

[fmasi]

Resolved by #81 (merged). main now gates on the working test check + CodeQL via the fixed 'Main guard' ruleset; unsatisfiable code_quality/copilot rules removed; admin bypass retained.