fix(governance): sync check lists and fix ruleset condition

[iap]

Summary

Two governance correctness fixes.

Changes

Ruleset condition bug (applied directly via API)

The develop ruleset had "refs/heads/main, canary" as a single literal string — it matched nothing. Fixed to two separate entries: refs/heads/main and refs/heads/canary. The ruleset (CodeQL alert gate, deletion protection, non-fast-forward) now correctly applies to all three protected branches.

Script and doc sync

• apply-governance.sh: add Dependency Review, Contracts Production Mode Smoke, frontend-checks / Frontend Checks (Node 20/22) to all branch check lists; align with live branch protection
• verify-governance.sh: same additions
• BRANCHING.md, PRODUCTION_GOVERNANCE_CHECKLIST.md: fix Frontend Checks names to include workflow prefix (frontend-checks / )

Governance policy validator passes locally.

Scope

• scripts
• docs

Risk

Low — script and doc changes only. Ruleset fix was applied directly via API before this PR.

Summary by CodeRabbit

• Chores
  • Standardized required CI/status check names for frontend verification to use the "frontend-checks /" workflow prefix for Node 20 and Node 22 across dev, canary, and main.
  • Updated branch protection and governance baselines to add/reorder required checks (e.g., Dependency Review, contracts production smoke, analysis, gitleaks, slither-core, detect-secrets-drift) and expand the ordered check sets.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: bfd2beee-ca0e-4d3d-9bb9-732814fbe307

📥 Commits

Reviewing files that changed from the base of the PR and between cf50bfe and 376a140.

📒 Files selected for processing (1)

• package.json

---

Walkthrough

The PR standardizes frontend CI check naming across GitHub governance by adding the workflow prefix frontend-checks / to frontend build checks for both Node 20 and Node 22. Updates span documentation (BRANCHING.md), governance scripts (verify-governance.sh, apply-governance.sh), and branch protection checklists for dev, canary, and main branches.

Changes

Frontend Check Prefix Standardization

Layer / File(s)	Summary
Documentation Updates BRANCHING.md	PR required checks matrices and recommended branch protection rules for dev, canary, and main are updated to use fully-qualified frontend check names: frontend-checks / Frontend Checks (Node 20) and frontend-checks / Frontend Checks (Node 22).
Governance Verification & Application scripts/github/verify-governance.sh, scripts/github/apply-governance.sh	require_checks_dev and require_checks_main arrays are redefined to require the prefixed frontend check names. DEV_CHECKS_JSON, CANARY_CHECKS_JSON, and MAIN_CHECKS_JSON are updated with the new check identifiers, reordering and adding checks like Dependency Review and Contracts Production Mode Smoke.
Branch Protection Checklist .github/PRODUCTION_GOVERNANCE_CHECKLIST.md	Manual branch protection checklists for main, canary, and dev are updated to reference the prefixed frontend check names for consistency with enforcement scripts.
Formatting package.json	A trailing blank line was added to the end of the file.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• trade/mark#45: Both PRs modify governance/docs/scripts files to rename/standardize required GitHub status check names, including changes to apply-governance.sh, verify-governance.sh, BRANCHING.md, and the PRODUCTION checklist.
• trade/mark#33: Both PRs update the same scripts/github/verify-governance.sh governance checks logic and required-check arrays.
• trade/mark#23: Introduces the reusable frontend workflow with the frontend-checks prefix, while this PR updates governance/scripts to require the matching prefixed status checks.

Suggested labels

codex

"I'm a rabbit in CI, I hop and I bind,
frontend-checks / now keeps builds aligned. 🐇
Docs and scripts changed, protection lists too,
Node twenty and twenty-two—prefixes true.
A tidy little hop — checks are all new!"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(governance): sync check lists and fix ruleset condition' accurately summarizes the main changes: fixing a ruleset condition bug and synchronizing governance check lists across scripts and documentation.
Description check	✅ Passed	The description covers the key changes (ruleset fix and script/doc sync) and risk assessment, but omits several template sections including Verification, Risk Review details, and Governance checklist items.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/governance-ruleset-and-checks

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}