[codex] Add engineering practices audit

[haasonsaas]

Summary

• add an auditable engineering-practices contract for org rulesets, backlog lifecycle, release trains, agent review, security SLOs, repo rails, and evidence-first done
• add a non-mutating live audit workflow/report plus tests and codex-rails validation
• add .github CODEOWNERS and EvalOpsBot requested-review dispatch for the org defaults repo
• explicitly exclude CodeQL and GitHub default code scanning from the baseline; this PR does not enable CodeQL, default setup, or scanner required checks

Test plan

• ruby .github/scripts/audit-engineering-practices.rb --contract-only --json-output /tmp/engineering-practices-contract.json --markdown-output /tmp/engineering-practices-contract.md
• ruby -Itest test/audit_engineering_practices_test.rb
• ruby -Itest -e 'ARGV.each { |path| require "./#{path}" }' test/*_test.rb\n- ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f); puts "ok #{f}" }' .github/contracts/engineering-practices.yml .github/workflows/engineering-practices-audit.yml .github/workflows/codex-rails-check.yml .github/workflows/evalopsbot-review-request.yml\n- actionlint .github/workflows/engineering-practices-audit.yml .github/workflows/evalopsbot-review-request.yml .github/workflows/codex-rails-check.yml\n- git -c core.fsmonitor=false diff --check\n- live audit smoke: ruby .github/scripts/audit-engineering-practices.rb --json-output /tmp/engineering-practices-audit-final2.json --markdown-output /tmp/engineering-practices-audit-final2.md\n\n## Live follow-through\n- created evaluate-only org ruleset 16622954 for critical default branches with deletion and non-fast-forward rules only\n- closed stale guardrail lifecycle issues [codex] Guardrail backlog: Runtime smoke coverage gap (runtime-smoke-coverage) #68 and [codex] Guardrail backlog: Workflow shell footgun (workflow-shell-footgun) #69 after existing closing evidence comments\n