ci: fix main trigger and harden workflow action pins

[Conalh]

Base SHA: 341cb19

Summary

• .github/workflows/ci.yml: switched the push branch filter from master to main and updated actions/checkout to the requested immutable SHA pin while preserving the existing checkout hardening and Rust checks.
• .github/workflows/fuzz.yml: added permissions: contents: read, pinned checkout and upload-artifact actions to immutable SHAs, and disabled persisted checkout credentials.
• .github/workflows/pages.yml: pinned checkout, upload-pages-artifact, and deploy-pages actions to immutable SHAs, and disabled persisted checkout credentials.
• Cargo.toml: normalized the repository URL casing to https://github.com/Conalh/warden.

Validation

• cargo fmt --all -- --check: passed
• cargo clippy --all-targets --locked -- -D warnings: passed
• cargo test --all --locked: passed (75 library tests, 22 integration tests, 3 parser robustness tests, 1 doctest)
• cargo build --release --locked: passed
• git diff --check: passed
• actionlint .github/workflows/*.yml: not performed; actionlint is not installed in the local environment
• Workflow pin check: passed; every external uses: reference is pinned to a 40-character commit SHA
• Mutable workflow ref check: passed; no @v3, @v4, @v5, @v6, or @v7 references remain
• Branch filter check: passed; no active workflow branch filter references master
• Final diff scope: passed; only .github/workflows/ci.yml, .github/workflows/fuzz.yml, .github/workflows/pages.yml, and Cargo.toml changed

No Rust source, tests, examples, documentation, policy semantics, CLI behavior, WASM behavior, or generated assets were changed.

Barbican compatibility

• Warden base SHA: 341cb19a05305c09641cfbb7d3b3fbf23233f1fa
• Warden candidate SHA: 659d3effee49be6ef5e604ceabc82d08d66aa1cf
• Barbican SHA: 73acbe17b9d47b5b195d17c9629a5b7675886168
• agent-gov-core SHA: 89409673b1943460f3262011418d085844de697e
• CapabilityEcho SHA: d7b60697df3f1c37319e636268a46355b6bbd607
• Node: v24.15.0
• npm: 11.13.0
• rustc: rustc 1.95.0 (59807616e 2026-04-14)
• cargo: cargo 1.95.0 (f2d3ce0bd 2026-03-21)

Build order used for the frozen Barbican workspace:

• base Warden: cargo build --locked passed
• candidate Warden: cargo build --locked passed
• agent-gov-core: npm ci passed; npm run build passed
• CapabilityEcho: npm ci passed; npm run build passed
• barbican: npm ci passed; npm run build passed

Baseline Barbican verification:

• Command: BARBICAN_WARDEN=<base-warden.exe> npm run verify
• Result: passed, exit 0
• Test totals: 34 tests, 34 pass, 0 fail, 0 skipped
• Evidence demo: passed
• Denied calls: confirmed not to reach downstream server
• Allowed call: run_shell / git status reached downstream exactly once
• Downstream total: exactly one tools/call, the allowed git status call
• Report validation: canonical barbican and capability_echo reports validated against agent-gov-core

Candidate Barbican verification:

• Command: BARBICAN_WARDEN=<candidate-warden.exe> npm run verify
• Result: passed, exit 0
• Test totals: 34 tests, 34 pass, 0 fail, 0 skipped
• Evidence demo: passed
• Denied calls: confirmed not to reach downstream server
• Allowed call: run_shell / git status reached downstream exactly once
• Downstream total: exactly one tools/call, the allowed git status call
• Report validation: canonical barbican and capability_echo reports validated against agent-gov-core

No source or tracked files remain modified in the temporary barbican, agent-gov-core, or CapabilityEcho checkouts after the compatibility run.