docs: remove Blacksmith org baseline wording

.github/contracts/org-control-plane.yml

@@ -85,7 +85,7 @@ requirements:
       - .github/workflows/codex-rails-check.yml
 github_security_configuration:
   id: 245233
-  name: EvalOps Blacksmith recommended
+  name: EvalOps security baseline recommended
   default_for_new_repos: all
   required_settings:
     advanced_security: secret_protection

SECURITY.md

@@ -26,7 +26,7 @@ This policy applies to all repositories in the [evalops](https://github.com/eval
 ## Code Scanning
 
 EvalOps does not use GitHub CodeQL or GitHub default code scanning. Every
-repository is attached to the **EvalOps Blacksmith recommended** code security
+repository is attached to the **EvalOps security baseline recommended** code security
 configuration (`id=245233`), which sets `advanced_security:
 secret_protection` and `code_scanning_default_setup: disabled`, and is the
 default for new repositories.

profile/GITHUB_ACTIONS_QUOTA.md

@@ -40,7 +40,9 @@ passing coverage, lint, or drift check into a failed required status.
 
 ## Runner Budget
 
-Prefer Blacksmith runners for normal CI unless a vendor workflow requires
-GitHub-hosted OIDC or trusted publishing. When a job stays on `ubuntu-latest`,
+Prefer owned EvalOps runners for trusted CI: `evalops-private-ci` for short
+private-repo checks and `evalops-internal` for deploy, release, GKE, or
+production-confirmation work. Keep public/fork, Dependabot, or vendor OIDC
+work on `ubuntu-latest` until a separate public-safe owned pool exists, and
 leave a comment explaining the dependency so later runner migrations do not
 re-introduce quota or authentication failures.