chore(release): pin security contact and cnb tag sync

scripts/release/check-versions.sh

@@ -9,7 +9,8 @@
 #      `version` in the root `Cargo.toml`.
 #   3. Internal `deepseek-*` path dependency pins match the workspace version.
 #   4. The TUI crate's packaged changelog copy matches root `CHANGELOG.md`.
-#   5. `Cargo.lock` is in sync with the manifests (`cargo metadata --locked`
+#   5. `SECURITY.md` keeps the dedicated security contact.
+#   6. `Cargo.lock` is in sync with the manifests (`cargo metadata --locked`
 #      fails if not).
 set -euo pipefail
 
@@ -51,7 +52,18 @@ if ! cmp -s CHANGELOG.md crates/tui/CHANGELOG.md; then
   fail=1
 fi
 
-# 5) Cargo.lock in sync.
+# 5) Security contact guard.
+security_email="security@deepseek-tui.com"
+if ! grep -qF "${security_email}" SECURITY.md; then
+  echo "::error::SECURITY.md must list ${security_email} as the security contact." >&2
+  fail=1
+fi
+if grep -qF "hmbown.dev@gmail.com" SECURITY.md; then
+  echo "::error::SECURITY.md must not use the personal fallback email; use ${security_email}." >&2
+  fail=1
+fi
+
+# 6) Cargo.lock in sync.
 if ! cargo metadata --locked --format-version 1 --no-deps >/dev/null 2>&1; then
   echo "::error::Cargo.lock is out of sync with the manifests. Run 'cargo update -p deepseek-tui' or 'cargo build' and commit the result." >&2
   fail=1