feat: emit an environments configuration file from the manifest

[joshua-temple]

Problem

GitHub environment protection rules (required reviewers, wait timers, deployment branch and
tag policies) and environment-scoped secret and variable names are repository configuration,
not workflow YAML. cascade cannot express any of these in the generated workflows today, so
operators set them by hand in repository settings and there is no single source of truth tied
to the manifest.

Proposed approach

Emit a config artifact (for example environments.json) derived from the manifest. It would
declare, per environment, the protection rules and the expected secret and variable names.
The operator applies it out of band via gh api or Terraform; cascade never applies it
itself. This is the sibling of the existing branch-protection.json work in issue #5, using
the same generate-a-config-file pattern.

Acceptance criteria

• Manifest environments produce a deterministic environments config file.
• A drift test confirms the generated file stays stable for a given manifest.
• Documentation describes the file format and how operators apply it.
• The body and approach cross-reference feat: emit branch-protection.json from manifest #5.
• It remains a generated config file, not a runtime applier: cascade stays a generator.

Cross-reference: #5.