Problem

• Launch-readiness audit gaps remained across CI toolchain pin governance, CLI help exit-code behavior, status/coverage messaging, and security policy guidance.

Changes

• Aligned PR workflow tool pins with normative policy and added deterministic anti-drift enforcement plus hygiene tests.
• Normalized CLI help contract so --help paths return exit 0 consistently across root/subcommands.
• Added explicit help-contract matrix coverage in unit and e2e CLI contract tests.
• Updated README maturity/status wording and clarified evidence/report coverage semantics in docs and report output text.
• Expanded SECURITY policy with private reporting workflow, required fields, response windows, supported fix targets, and disclosure coordination.

Validation

• make prepush-full
• .tmp/wrkr scan --path scenarios/wrkr/scan-mixed-org/repos --state .tmp/ship-scan-state.json --json