Document the current static web-app behavior, local-only save flow, shallow installer path, and maintainer-only sync controls.\n\nAlign maintainer guides with the active audit-to-risk-sync workflow, canonical artifact bot contract, release/coverage requirements, and updated security triage context so the docs match the repository's real operating model.
- Add docs/maintainers/merging-prs.md: policy to always use Squash and merge,
resolve conflicts on PR branch so PR shows Merged; Co-authored-by for rare
local integration
- Update .github/MAINTENANCE.md: merge via GitHub only, never close after
local integration; conflict resolution on branch then merge
- Update CONTRIBUTING.md Recognition: we always merge accepted PRs on GitHub,
never close after integrating locally
Addresses feedback from @sraphaz on #225 (attribution when PRs are integrated
locally). Going forward PRs will show as Merged so contributors get full credit.
