feat: add GitHub sane defaults CLI

[osolmaz]

Summary

GitHub repository settings drift across repos, and fixing them by hand is easy to miss.
This adds a publishable TypeScript CLI that can preview and apply the repo defaults Onur wants for DutifulDev repositories.
It also applies and verifies those defaults on dutifuldev/scratch, so the first real target is already in the finalized state.

What Changed

The new CLI has a dry plan mode and an apply mode.
It uses GitHub REST APIs directly, validates API responses at the boundary, and keeps the policy values in typed modules so later GitHub defaults can be added cleanly.

• Added @dutifuldev/github-sane-defaults with the github-sane-defaults binary.
• Added plan and apply commands with --org, repeated --repo, --all, and optional --token.
• Applies repo settings for squash/rebase/automerge/update-branch/delete-branch-on-merge.
• Upserts a repository ruleset named github-sane-defaults: default branch.
• Added strict TypeScript, ESLint, Vitest, coverage, Slophammer, SimpleDoc, and CI configuration.

Testing

I tested the local package checks and the real GitHub apply flow against dutifuldev/scratch.
A second plan against scratch reports no changes, which confirms the apply path converged.

• npm run check
• npm run dry
• npm run mutate
• npx -y slophammer-ts check . --format json
• npx -y @simpledoc/simpledoc check
• git diff --check
• npm audit --omit=dev
• npm pack --dry-run
• node dist/src/cli/main.js plan --org dutifuldev --repo scratch
• node dist/src/cli/main.js apply --org dutifuldev --repo scratch
• node dist/src/cli/main.js plan --org dutifuldev --repo scratch

Risks

The tool currently creates repository-level rulesets rather than organization-level rulesets.
That keeps the first version easy to test on one repo with repo admin permissions, but a future org-wide policy mode may still be useful.

• --all intentionally skips archived and disabled repositories.
• The CLI does not yet manage Actions permissions, labels, security settings, or org-level rulesets.
• The GitHub API client uses the current REST ruleset payload shape for repository rulesets.

[osolmaz]

Final report

Implemented and merged the initial TypeScript npm CLI for applying GitHub sane defaults.

Validation run locally before merge:

• npm run check: passed
• npm run dry: passed
• npm run mutate: passed dry run
• npx -y slophammer-ts check . --format json: passed
• npx -y @simpledoc/simpledoc check: passed
• git diff --check: passed
• node dist/src/cli/main.js plan --org dutifuldev --repo scratch: no changes
• node dist/src/cli/main.js plan --org dutifuldev --all: completed successfully
• codex review --base main: final pass found no actionable correctness issues

Post-merge verification:

• main CI: passed
• node dist/src/cli/main.js plan --org dutifuldev --repo scratch: no changes
• node dist/src/cli/main.js plan --org dutifuldev --repo github-sane-defaults: no changes

The scratch repo and this repo are both in the finalized sane-defaults state.