CI/supply-chain security hardening

[ciaranra]

Summary

Supply-chain / CI hardening pass (no functional code changes — workflows, config, and dep pins only).

• harden-runner on all CI — adds step-security/harden-runner (egress audit mode, SHA-pinned @9af89fc… v2.19.4) as the first step of every CI job (35 jobs / 19 workflows), Linux-guarded on matrix/macOS/Windows legs. Gives runtime egress visibility/baseline.
• Dependabot gomod coverage — closes a gap (cargo/pip/actions were covered, Go was not), so the Go module's advisories stop drifting.
• Bump go/pecos go directive 1.18 → 1.26.3 — the module is stdlib-only (zero deps); the ~77 OSV alerts there were Go standard-library CVEs flagged against the stale directive. Bumping clears them.
• Pin Pillow >=11.3.0 in python/quantum-pecos/docs/requirements.txt — Pillow is transitive via matplotlib; clears 1 critical (Pillow ACE) + 4 high (libwebp/DoS/overflow) code-scanning alerts.
• Document the IoC-list refresh process in scripts/dependency-integrity-check.sh.
• Drop a stray internal planning reference from a pyproject.toml comment.

Notes for reviewers

• harden-runner is intentionally audit (non-blocking). Follow-up: review the egress baseline, then switch to block with an allowlist.
• Net effect on code scanning: ~106 open alerts → roughly the 9 CodeQL FFI access-invalid-pointer warnings + a few transitive Rust/Python advisories (handled by Dependabot/cargo-deny).

Deferred (tracked, not in this PR)

• CodeQL FFI access-invalid-pointer triage (pecos-foreign, pecos-qis-ffi).
• Release integrity (OIDC trusted-publishing when PyPI publish is automated; build-provenance attestation for Julia binaries).
• Repo settings: make security checks required + disable force-push on dev.

Test plan

• Local: dependency-integrity-check exit 0 · just go-test debug passes · all workflow YAML valid · ruff/black/just lint clean
• CI green (harden-runner audit runs, dependency-integrity-check, go/python/rust/julia tests, CodeQL)