[codex] honor enforced org security config

[xiaojiou176]

Summary

• teach the GitHub control-plane checker to accept enforced org code-security configuration evidence for secret-scanning subfeatures
• keep the policy explicit by recording the org configuration id and repository enforcement status in the repo-owned control-plane contract
• add coverage for both the strict-fail and org-enforced fallback paths

Test Plan

• ... [100%]
  3 passed in 0.34s
• ❌ [github-control-plane] violations:
• gh api repo fetch failed: {'message': 'Bad credentials', 'documentation_url': 'https://docs.github.com/rest', 'status': '401'}
• gh api actions permissions failed: {'message': 'Bad credentials', 'documentation_url': 'https://docs.github.com/rest', 'status': '401'}
• gh api environments failed: {'message': 'Bad credentials', 'documentation_url': 'https://docs.github.com/rest', 'status': '401'}
• branch protection unavailable or mismatched: {'message': 'Bad credentials', 'documentation_url': 'https://docs.github.com/rest', 'status': '401'}
• private vulnerability reporting not proven: {'message': 'Bad credentials', 'documentation_url': 'https://docs.github.com/rest', 'status': '401'}
• vulnerability alerts not proven: {'message': 'Bad credentials', 'documentation_url': 'https://docs.github.com/rest', 'status': '401'}
• secret_scanning drift: actual='missing' expected='enabled'
• secret_scanning_push_protection drift: actual='missing' expected='enabled'
• secret_scanning_non_provider_patterns drift: actual='missing' expected='enabled'
• secret_scanning_validity_checks drift: actual='missing' expected='enabled'
• org code-security configuration not proven: {'message': 'Bad credentials', 'documentation_url': 'https://docs.github.com/rest', 'status': '401'}
• dependabot alerts not proven: {'message': 'Bad credentials', 'documentation_url': 'https://docs.github.com/rest', 'status': '401'}

Breaking Changes

None