feat: branching & deploy baseline — two-branch flow, workflows, init script

[BGebken]

Summary

Bakes HRL's two-branch promotion model into every new repo created from this template. After the Muster adoption (muster#97, muster#98) and the Pirates-Codex canonical doc (Pirates-Codex#15), this completes the loop so new projects start compliant without any additional setup work.

What new projects get out of the box

• docs/BRANCHING.md — project-scoped doc template with an environment-tier picker; points to the org-wide canonical in Pirates-Codex
• .github/workflows/deploy-dev.yml + deploy.yml — placeholder deploy workflows (Dev triggers on develop, Prod triggers on main with a security gate scanning for BYPASS_AUTH)
• .github/workflows/prune-merged-branches.yml — weekly scheduled cleanup of merged feature branches older than 14 days; manual dispatch defaults to dry-run
• scripts/init-repo.sh — one-shot gh CLI setup that creates develop, enables auto-delete-on-merge, and adds baseline branch protection

What got updated

• CONTRIBUTING.md — the key fix: "Create a branch from `main`" → "Branch from `develop`"; adds hotfix flow, dev-only callout, and prefix conventions aligned with the prune workflow
• README.md — Deployment section documents the two-branch flow and points to init-repo.sh for first-run setup

Coordination with PR #1

PR #1 (Adopt HRL org-wide tracking standards) is currently open and touches CONTRIBUTING.md, README.md, and .github/pull_request_template.md.

• This PR intentionally does NOT touch pull_request_template.md to avoid a conflict. Recommend adding a target-branch check to PR Adopt HRL org-wide tracking standards #1's template before or after merge.
• This PR edits different sections of CONTRIBUTING.md and README.md than PR Adopt HRL org-wide tracking standards #1 — should merge cleanly with a rebase but may need review.

Recommended merge order: PR #1 first → rebase this PR on top → merge.

First-time user flow (after this merges)

# 1. Pirate Council member creates the repo from template-project
# 2. Clone locally
git clone https://github.com/huntridge-labs/new-project.git
cd new-project

# 3. Run the init script
bash scripts/init-repo.sh
# → creates develop, enables auto-delete, sets branch protection

# 4. Fill in the TODOs in docs/BRANCHING.md, README.md, and the workflows
# 5. First PR: feat/... into develop

Related

• Pirates-Codex#15 — canonical branching & environments doc — this PR depends on it
• muster#97, muster#98 — Muster as the reference implementation
• Repo PR Adopt HRL org-wide tracking standards #1 — standards alignment; coordinate merge order

Test plan

• Reviewer reads docs/BRANCHING.md — confirms tier menu and references look right
• Reviewer skims the three new workflows — confirms TODOs are clear
• Spot-check scripts/init-repo.sh on a throwaway repo (or a new repo spun up from the template after this merges)
• Confirm CONTRIBUTING.md + README.md edits don't break PR Adopt HRL org-wide tracking standards #1's edits semantically

Follow-ups

• After merge: update PR Adopt HRL org-wide tracking standards #1's pull_request_template.md to include a target-branch check section
• Consider a corresponding Terraform template module sandbox-ecs (separate repo or module) for Tier 3+ projects

🤖 Generated with Claude Code

[github-actions]

🔑 Gitleaks Secrets Detection Results

Branch: feat/branching-and-deploy-baseline
Commit: fa6b7c1

🔍 GitLeaks

Status: ⏭️ Skipped

---

Generated by Argus

[github-actions]

🔍 OpenGrep SAST Results

Branch: feat/branching-and-deploy-baseline
Commit: fa6b7c1

🔍 OpenGrep SAST

Status: Completed

Findings Summary

Error	Warning	Info	Total
0	0	0	0

No security findings detected.

Artifacts: OpenGrep Reports

---

Generated by Argus

[github-actions]

🐍 Bandit Python Security Results

Branch: feat/branching-and-deploy-baseline
Commit: fa6b7c1

🔍 Bandit Python Security

Status: ✅ Completed

📊 Findings Summary

🔴 High	🟠 Medium	🟢 Low	📦 Total
0	0	0	0

✅ No security findings detected!

📁 Artifacts: Bandit Reports

---

Generated by Argus