A CodeQL/security hardening pass, the series-doctrine move to the org, and a CI cleanup.
Series doctrine moved to the org. The Phoenix-13 (hooks-safety) and scripts-quality docs are now hosted canonically at TheColliery/.github alongside DESIGN-PRINCIPLES. CoalMine dropped its docs/ copies; SECURITY.md links the org, and the doctrine-mirror gate now checks the two machine-local rule homes.
Fixed: CodeQL js/file-system-race in install.mjs, configure.mjs, and the rot-canary-touch.js tripwire (read-and-handle / fstat-on-fd, all benign in context); markdownlint MD060 disabled; the detection benchmark is now dated inline.
Security: workflow actions pinned to commit SHAs (closes Scorecard PinnedDependencies). Dependabot still tracks them. The remaining by-design Scorecard findings are dismissed with documented reasons.
To update: claude plugin update coalmine@coalmine then restart Claude Code.