v0.12.0 — Branch Protection & CI Gates Live

Before Meridian ships to mainnet, every code change now flows through enforced security gates on GitHub. No user-facing features changed — this is the process foundation for the security hardening phases ahead.

What's enforced on main now:

- Branch protection with admin enforcement (no bypass path, no force pushes, no deletions)

- PR template must include Fix / Test / Threat Model sections

- Security-sensitive PRs require explicit reviewer clearance before merge

- Test-count gate counts only real new tests (skip/only bypass closed)

What else shipped:

- Threat model scaffold for documenting security impact on every change

- Middleware test harness for auth regression testing

- Corrected stale test baseline (172 real tests, not the 221 we thought)

- Identified 18 broken backend test files (queued for Phase 1 fix)

What this means for you:

Meridian's security posture is now enforceable by tooling, not convention. Phase 1 (CSP hardening + wallet signature improvements) is next — and everything shipping from here on out flows through these gates. No admin bypass, no shortcuts.

If you're a tester on /try-it, you won't see visible differences — but the code shipping to your wallet now passes more rigorous automated review before it's allowed to merge.

This milestone blocks mainnet launch. 1 of 5 security hardening phases complete.