docs: sync changelog and security guidance

CHANGELOG.md

@@ -40,8 +40,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - `.github/workflows/ci.yml` — pytest matrix on Python 3.9 / 3.10 /
     3.11 / 3.12 / 3.13, ruff (lint + format check), mypy strict, build
     sdist + wheel.
-  - `.github/dependabot.yml` — weekly `pip` + `github-actions`
-    updates.
   - `.github/PULL_REQUEST_TEMPLATE.md` — Summary / Changes / API
     impact / Daemon compatibility / Async compatibility / Testing /
     Checklist.

SECURITY.md

@@ -44,15 +44,13 @@ We follow [coordinated vulnerability disclosure](https://en.wikipedia.org/wiki/C
 
 ## Security practices in this repo
 
-- **Dependency monitoring:** automated via Dependabot (see
-  `.github/dependabot.yml`).
-- **Static analysis:** `golangci-lint` / `ruff` / `mypy` enforced in CI.
-- **Vulnerability scanning:** `govulncheck` (Go) / `pip-audit` (Python) run
-  on every CI build.
-- **Lockfiles:** `go.sum` / `pnpm-lock.yaml` / `pyproject.toml` are pinned
-  and committed.
-- **Reproducible builds:** release artefacts ship with SHA-256 checksums via
-  goreleaser.
+- **Dependency monitoring:** vulnerable dependencies are detected by
+  `pip-audit`, which runs on every CI build (see "Vulnerability scanning").
+- **Static analysis:** `ruff` (lint + format) and `mypy --strict` are enforced
+  in CI (see `.github/workflows/ci.yml`).
+- **Vulnerability scanning:** `pip-audit` runs on every CI build.
+- **Lockfiles:** dependencies are pinned in `pyproject.toml`.
+- **Reproducible builds:** wheels and sdists are built with `hatchling`.
 - **No secrets in source:** API keys are configuration, not constants. Pre-
   commit hooks block accidental secret commits.