Document the current static web-app behavior, local-only save flow, shallow installer path, and maintainer-only sync controls.\n\nAlign maintainer guides with the active audit-to-risk-sync workflow, canonical artifact bot contract, release/coverage requirements, and updated security triage context so the docs match the repository's real operating model.
Clarify that validate and automated skill-review are necessary but not sufficient for skill and risky guidance changes. Add the requirement consistently to contributing guidance, the quality bar, and the PR checklist so maintainers explicitly review logic, safety, failure modes, and risk labeling before merge.
- Add docs/maintainers/merging-prs.md: policy to always use Squash and merge,
resolve conflicts on PR branch so PR shows Merged; Co-authored-by for rare
local integration
- Update .github/MAINTENANCE.md: merge via GitHub only, never close after
local integration; conflict resolution on branch then merge
- Update CONTRIBUTING.md Recognition: we always merge accepted PRs on GitHub,
never close after integrating locally
Addresses feedback from @sraphaz on #225 (attribution when PRs are integrated
locally). Going forward PRs will show as Merged so contributors get full credit.
Consolidate the repository into clearer apps, tools, and layered docs areas so contributors can navigate and maintain it more reliably. Align validation, metadata sync, and CI around the same canonical workflow to reduce drift across local checks and GitHub Actions.
