audit engineering practice issue followups

[haasonsaas]

Summary

• teach the engineering-practices audit to recognize evaluate-mode required-status-check org rulesets
• add live security remediation ledger output for critical/high Dependabot alerts and secret-scanning alert types without exposing secret values
• recognize evalops/deploy#1344 as the active production release-train dashboard state record
• document the current evaluate-mode required-check policy and production release-train dashboard

Test plan

• ruby -Itest test/audit_engineering_practices_test.rb
• ruby -Itest -e 'ARGV.each { |path| require "./#{path}" }' test/*_test.rb
• ruby .github/scripts/audit-engineering-practices.rb --contract-only --json-output /tmp/engineering-practices-contract-next.json --markdown-output /tmp/engineering-practices-contract-next.md
• ruby .github/scripts/audit-engineering-practices.rb --json-output /tmp/engineering-practices-live-next2.json --markdown-output /tmp/engineering-practices-live-next2.md
• ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f); puts "ok #{f}" }' .github/contracts/engineering-practices.yml .github/workflows/engineering-practices-audit.yml .github/workflows/codex-rails-check.yml
• git -c core.fsmonitor=false diff --check

Issue links

• Resolves Adopt required status-check policy for critical repos #110
• Updates Drive Dependabot and secret-scanning SLO backlog to zero critical/high #111
• Updates evalops/deploy#1344

No CodeQL or GitHub default code scanning was enabled.