0.17 phase 4 PR B: status --verbose + README/SECURITY refresh

[StanMarek]

Summary

• ghost-complete status now prints a one-line JS-only summary by default; --verbose dumps the full list. JSON output unchanged (dashboards stay green).
• README drops the stale "dynamic generator results require another keystroke" claim — actual behavior is the dynamic merge loop in gc-pty/src/proxy.rs:265-283, gated by popup.render_block_ms (default 80ms, range 0-300ms).
• README config snippet annotated as illustrative; canonical reference is docs/CONFIGURATION.md.
• SECURITY.md replaces the static 0.10.x table with a "latest stable minor + in-flight RC" policy statement. <maintainer-email> placeholder left intentionally for the reviewer to fill in (or replace with the noreply alias) before merge — DO NOT merge with the literal placeholder in.

Implementation notes

• The plan's render_status(out, &outcome, verbose) symbol did not exist in the repo; extracted a pub(crate) fn render_status_text(out, &outcome, verbose) out of run_status_inner so the new tests have a pure render entry point. verbose: bool threaded through run_status_inner → run_status_inner_with_trend → run_status_with_opts_to_writer → run_status_with_opts. JSON branch (run_status_json) intentionally does NOT accept verbose — the dashboard contract is verbose-by-default.
• The stale "keystroke required" bullet lived at README:211 (under ## Known Limitations); the replacement reframes it as a feature with the render_block_ms knob. Reading it under "Known Limitations" is mildly awkward, but matches the plan's prescription verbatim and stays in the same section so existing anchor links keep working.
• The js_commands list contains top-level command names (aws, cargo, apt, …), not subcommands. The plan's expected ">100 aws lines" was based on a misread of the data shape — actual verbose dump is 180 distinct top-level commands. The unit tests use a synthetic fixture with aws s3/aws ec2 to pin the plain-vs-verbose split independent of the real corpus shape.

Test plan

• cargo test --workspace green (one pre-existing flake in gc-suggest::eviction that passes on isolated rerun — unrelated to this PR's surface).
• status_plain_does_not_dump_js_commands_list and status_verbose_dumps_js_commands_list cover the plain/verbose split; status_json_payload_is_unchanged_by_verbose pins JSON byte-equality across --verbose.
• cargo clippy --all-targets -- -D warnings clean.
• cargo fmt --check clean.
• Manual smoke: plain status short (one-line js summary), status --verbose lists 180 top-level commands, diff <(status --json) <(status --verbose --json) is empty.

Coordination

PR A (drift battery) and PR C (TUI ergonomics) touch disjoint files. Phase 5 (macos-smart-completions) is also disjoint. Zero expected conflicts in either direction.