NexLink v0.15.8 — ClawScan Security Audit Remediation

Security: All 5 ClawScan findings resolved

🔒 Changes

• Per-command --yes only — removed NEXLINK_AUTO_APPROVE global bypass
• Pinned dependencies — exact versions (==) instead of minimum ranges (>=)
• Branding cleanup — removed --no-branding CLI flag, module-level control
• File permissions — config/logs/state files use 0o600/0o700
• Docs updated — SECURITY.md, security-best-practices.md, CHANGELOG.md

📦 Commits

• 9e02355 — Phase 1: per-command --yes + pinned deps
• 6808d84 — Phases 2-4: branding, permissions, docs
• b8ca8e0 — Version bump to 0.15.8

🔗 Links

• Security Best Practices
• CHANGELOG
• ClawHub Registry