block releases when main's branch protection drifts

[iicky]

• read main's full branch protection in release preflight and assert the baseline: enforce_admins on, force-push and deletion off, required checks include Test/VHS/Lint (extra checks fine, a dropped one is drift)
• fail the release on drift or an unreadable protection config, replacing the old check that only saw protected: true
• mint a short-lived GitHub App token (administration/contents/pull-requests read) for the read, since GITHUB_TOKEN can't carry the administration scope
• read the App credentials from the PREFLIGHT_APP_ID and PREFLIGHT_APP_PRIVATE_KEY secrets — preflight fails closed until the App is installed on iicky/murk