Add role-based GitHub App manifests

Four roles with scoped permissions enforcing PR workflow at GitHub level:
- CEO: merge authority, org admin
- CTO: PR review/approval, full engineering + workflows
- QA: PR review/approval, read-only contents, CI monitoring
- Engineer: push branches, open PRs, CI execution

Apps are org-scoped. PEM naming: <org>-<role>.pem
Branch protection rulesets to be configured after app creation.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

github-apps/engineer.json

@@ -0,0 +1,19 @@
+{
+  "name": "privilegedescalation-engineer",
+  "url": "https://github.com/privilegedescalation",
+  "hook_attributes": {
+    "url": "https://example.com/placeholder"
+  },
+  "redirect_url": "https://github.com/privilegedescalation",
+  "public": false,
+  "default_permissions": {
+    "contents": "write",
+    "issues": "write",
+    "pull_requests": "write",
+    "actions": "write",
+    "pages": "write",
+    "metadata": "read"
+  },
+  "default_events": [],
+  "description": "Engineer agent \u2014 code push, PR creation, CI execution"
+}