Signature on protected main - configurable token role

Problem

The installer currently creates a project access token with Developer role. Developer tokens cannot push to a protected main branch, so signatures are stored on a separate branch, which is inconvenient for a dedicated signature store project.

Proposal

Make the token role configurable (for example --store_token_role maintainer) as an explicit opt-in. The installer should validate the provided token's permissions and warn if they are insufficient for committing to the chosen branch.

Impact

Allows keeping main protected while still committing signatures. Avoids recommending deprotecting main or giving broad push access to Developer tokens.