Testing batch: golden-file YAML test + 7 behavioural coverage findings

[ydesgagn]

Summary

Closes 8 of the 9 Medium Testing findings from the deep code review, adding behavioural coverage for failure paths plus a flagship golden-file test for the generator's core output. Three findings carried a small, low-risk production hardening; the rest are pure test additions. Full suite: 338 examples, 0 failures; line coverage 94.6% → 98.5%. RuboCop clean across all 47 files.

Key changes:

• TEST-007 — new spec/ghb/integration/workflow_generation_spec.rb runs the real Application#execute pipeline in an isolated tmpdir against a minimal Ruby fixture and diffs the generated .github/workflows/build.yml against the checked-in golden file spec/fixtures/workflow_generation/build.yml (UPDATE_SNAPSHOTS=1 regenerates).
• TEST-006 — GitignoreManager wraps transient Net::OpenTimeout/ReadTimeout/ECONNRESET/ECONNREFUSED/SocketError from the gitignore.io fetch into an actionable error; specs cover 503/504 and each network error.
• TEST-009 — RepositoryConfigurator#build_branch_protection_payload uses filter_map so malformed user/team dicts can't yield a [null] list (GitHub 422); spec added.
• TEST-011 — Workflow#read raises GHB::ConfigError with file context on malformed YAML / non-mapping root instead of a raw Psych::SyntaxError/NoMethodError; specs added.
• TEST-002 — options_spec asserts public original_argv instead of instance_variable_get(:@argv).
• TEST-003 — added an ordered sleep(1)/(2)/(3) back-off assertion to the API-client retry specs.
• TEST-008 — Application#detect_default_branch unit-tested (success / fallback / explicit master).
• TEST-020 — validate_entries permissive non-Hash skip documented by tests (plus a guard that Hash entries still validate).

Deferred to a separate PR: TEST-001 (collapsing 20 __send__(:private) calls in gitignore_manager_spec) — best done with a GitignoreRules module extraction; collapsing them blindly trades precise failure localisation for purity and risks coverage regressions.

Types of changes

• Bugfix (fixes an issue)
• New feature (adds functionality)
• Refactoring (improves code without changing functionality)
• Breaking change (incompatible changes)
• Build or security update (updates dependencies, libraries, or security patches)
• Code style or documentation update (formatting, renaming, or documentation changes)
• Other (please describe):

Checklist

• Unit tests added to validate my fix/feature
• I have manually tested my change
• I did not add automation test. Why ?:
• Database changes requiring migration with downtime or reprocessing of existing data
• The SOUP file lists the risk Level, requirements and verification reasoning associated with each library
• `readme.md` includes sections on introduction, installation, usage, and contributing
• `docs/architecture.md` includes sections on the architecture diagram, software units, software of unknown provenance, critical algorithms and risk controls related to PII and security
• Impact on PII, privacy regulations (CCPA/GDPR/PIPEDA), CIS benchmarks or security (availability/confidentiality/integrity); management must be notified