Bug: AC-03.01 implementation is testing additional aspects of the control beyond what is specified

[trumant]

Expected behavior

Running the main branch of pvtr-github-repo against revanite-io/example-osps-baseline-level-1 should result in a failure for control AC-03.01 because the main branch is not protected.

Observed behavior

Instead, I see the results:

control-id: OSPS-AC-03
    result: Passed
    message: Branch protection rule prevents deletions
    corrupted-state: false
    assessments:
    - requirement-id: OSPS-AC-03.01
      applicability:
      - Maturity Level 1
      - Maturity Level 2
      - Maturity Level 3
      description: When a direct commit is attempted on the project's primary branch, an enforcement mechanism MUST prevent the change from being applied.
      result: Passed
      message: "Repository contains no code - skipping branch protection checks"
      steps:
      - github.com/revanite-io/pvtr-github-repo/evaluation_plans/reusable_steps.IsCodeRepo
      - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/access_control.branchProtectionRestrictsPushes
      steps-executed: 2
      start: "2025-09-21T12:21:55-04:00"
      end: "2025-09-21T12:21:55-04:00"
      recommendation: |
        If the VCS is centralized, set branch protection on the primary branch
        in the project's VCS. Alternatively, use a decentralized approach,
        like the Linux kernel's, where changes are first proposed in another
        repository, and merging changes into the primary repository requires a
        specific separate act.

Given the control language doesn't speak to "code" needing to be in the repository, for the primary branch protection requirement, this is a bug.