v0.11.0 — security hardening: deny-exec + C3 regex ReDoS backstop

Security-hardening release. Opt-in, fail-closed controls over the executable checker families, a real fix for catastrophic-regex stalls, and honest security/validation docs — all backward-compatible (trusted/internal repos are unchanged).

Highlights

• deny-exec / deny-shell execution policy — --deny-exec / --deny-shell (env DORIAN_DENY_EXEC / DORIAN_DENY_SHELL) on seal, verify, revalidate, and rebind. The executable families (C4 pytest:, C5 shell:) ERROR instead of running, gated at the single run_checker choke point. A blocked claim never seals (born-verifiable) and never silently passes revalidate (ERRORED, never VERIFIED/BROKEN). Fail-closed; not a sandbox.
• C3 regex ReDoS backstop — the match runs in a spawned worker killed at spec.timeout_s, so catastrophic backtracking ERRORs (regex_timeout) instead of stalling. No new core runtime dependency.
• Drift guards — test_version_sync (pyproject == __init__ == CLI) and test_cli_docs_sync (every README command resolves).
• Honesty & onboarding docs — SECURITY.md, docs/SECURITY_BOUNDARY.md, validation-honesty / release-checklist / dependency / benchmark-reproducibility / shadow-pilot docs, 6 issue templates, a manual OIDC PyPI publish workflow, and a roadmap backlog with an explicit "do not build" list.

Adversarial audit

A five-lens review caught a real escape: dorian rebind re-runs checkers but did not receive the policy and had no flag, so it executed code under DORIAN_DENY_EXEC=1. Fixed, with a red-green-verified regression test.

Caveat

deny-exec removes code execution but not the self-attested-verdict problem; the public-fork-PR story remains the deferred trusted-base Action mode (designed, not built). dorian is for trusted/internal repositories, or --deny-exec everywhere else.

Verification

CI green on Python 3.11 / 3.12 / 3.13; 636 tests pass. Core runtime dependencies: none.