feat(root): self-contained scheduled iyarc-prune workflow

[rashadjnizar]

Ticket: HSM-429

Summary

Configures a scheduled agent to automatically prune stale entries from .iyarc (the improved-yarn-audit exclusion list). This is a self-contained replacement for the earlier nightshift-actions approach, a public repo can't call the private nightshift-actions reusable workflow, so this runs Claude Code directly via Bedrock, reusing the same OIDC + inference role already proven in claude-pr.yml.

Changes:

• Adds .github/workflows/iyarc-prune.yml: weekly cron (Mondays 06:00 UTC) + manual workflow_dispatch; OIDC → Bedrock auth, then runs claude-code-action with commit signing enabled.
• Adds .github/prompts/iyarc-prune.md: the prune task prompt.
• Removes the 3 old nightshift-actions files (nightshift-scheduler.yaml, nightshift-task.yaml, .nightshift.yaml).

How it works

Each run the agent walks every .iyarc exclusion, checks whether a compatible patched version exists, and if so bumps the dependency and removes the exclusion. Before opening a PR it runs the release gates — audit-high + check-deps — plus a scoped build/test, and abandons the change if any gate fails. Green runs open one assigned non-draft PR, with commits signed via use_commit_signing. No-op runs are expected and produce no PR.

Testing

The nightshift scheduler dry-run no longer applies. Validated locally instead:

• actionlint .github/workflows/iyarc-prune.yml — valid, no errors
• act -l — job/trigger plan parses: prune iyarc-prune schedule,workflow_dispatch
• Release gates run against the current tree (the exact gates the agent must pass):
  • yarn run audit-high → 0 vulnerabilities
  • yarn check-deps → pass

Full agent run (OIDC → Bedrock → commit/PR) can't execute locally; it will be verified post-merge via a manual workflow_dispatch.

[linear-code]

HSM-429