Finish R1 public security hardening

[jmcte]

Summary

• create new file-backed SQLite databases with owner-only 0600 permissions before SQLite opens them
• add --all-files-with-untracked, --all-local, and --local scan modes for local untracked artifact checks
• add MailPlus-focused leak checks for mailbox exports, local metadata/cache stores, and tokenized OAuth/reset/login/payment links
• document scanner limits as a fast baseline guardrail rather than complete DLP
• finish R1 public security polish with disclosure SLA language, fixture policy docs, and CONTRIBUTING guidance

Verification

• bash scripts/check-detect-secrets.sh --all-files
• bash scripts/check-detect-secrets.sh --all-local
• PYTHONPATH=src python3.12 -m unittest discover -s tests -p 'test_runtime.py' -v
• PYTHONPATH=src python3.12 -m unittest discover -s tests -p 'test_secret_scan_script.py' -v
• bash scripts/ci/run-fast-checks.sh

Closes #79.
Closes #80.
Closes #81.
Closes #82.

Merge Automation

Auto-merge was not enabled after repair because GitHub rejected the command: GraphQL: Auto merge is not allowed for this repository (enablePullRequestAutoMerge).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: de69067745

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".