* feat(steerability): add config-driven profile with code_path avoid enforcement
* fix(steerability): write SDK deny rules once per workflow to avoid parallel-agent race
* fix(steerability): reference guidance by pointer in report DROP rules
* fix(steerability): tighten code_path avoid enforcement
* chore(steerability): use shared ALL_VULN_CLASSES const and tighten RunScope type
* fix(steerability): validate run scope before resume short-circuit
* fix(steerability): emit only documented Read/Edit deny rules for code_path
* fix(steerability): assemble report from analysis deliverables when exploit is disabled
* feat(steerability): preflight check that code_path rules match at least one repo entry
* fix(steerability): tag missing code_path entries with avoid/focus kind
* revert(steerability): assemble report from analysis deliverables when exploit is disabled
* feat(steerability): render per-class findings from queue JSON when exploit is disabled
* refactor(steerability): trim findings renderer to common mappable rows
* feat(steerability): allow report agent to rewrite category-label finding titles
* docs(steerability): document new config fields in README and CLAUDE.md
* docs(steerability): comment out optional config sections in examples
ezl-keygraph