feat(root): configure nightshift with iyarc-prune task

[rashadjnizar]

Ticket: HSM-410

What

Configures a Nightshift agent to automatically prune stale entries from .iyarc.
Adds three files:

• .github/workflows/nightshift-scheduler.yaml — weekday cron (06:00 UTC) that calls the reusable scheduler; 168h cooldown gates actual dispatch to ~weekly.
• .github/workflows/nightshift-task.yaml — thin wrapper calling the reusable task runner.
• .nightshift.yaml — the iyarc-prune custom task definition + prompt.

How it works

Each cycle the agent walks every .iyarc exclusion, checks whether a compatible patched version exists, and if so bumps the dependency and removes the exclusion. Before opening a PR it runs the release gates — audit-high + check-deps — plus a scoped build/test, and abandons the change if any gate fails. Green runs open one non-draft PR. No-op cycles are expected and produce no PR.

Testing

Validated the scheduler + config locally via the nightshift-actions CLI (offline dry-run):

Loaded 1 enabled tasks
--- Selected Tasks ---
  iyarc-prune (score: 18.00, priority: 8, staleness: 10.00, reason: never run)
Dry run — no tasks dispatched.

Confirms .nightshift.yaml parses and the task is selected correctly.

[linear-code]

HSM-410

[vinhkhangtieu]

what does iyarc do? is this pr mainly for security audit of packages in that file?

[rashadjnizar]

what does iyarc do? is this pr mainly for security audit of packages in that file?

iyarc is the ignore/exclusion file for improved-yarn-audit. this pr adds a scheduled nightshift agent that walks every entry in .iyarc, checks whether a compatible patched version now exists, and if so bumps the dependency and removes the exclusion.