chore: post-release maintenance backlog for v0.12.0

[jithinraj]

Summary

Tracks post-release maintenance work following v0.12.0.

Dependency maintenance

• Review and merge low-risk dependency updates
• Review major-version updates separately where breaking changes are possible
• Track remaining dev-only audit findings and close them through normal dependency maintenance

Validation and tooling follow-ups

• test: fix SSRF expansion mock injection and error assertions #483: SSRF-specific error preservation in safeFetch
• feat: AST or dependency-graph based no-network audit #484: AST/dependency-based no-network audit
• feat: repeated-run and Linux CI benchmark artifacts #485: Repeated-run/Linux benchmark artifacts
• feat: stronger API contract extraction for critical packages #486: Stronger API contract extraction for critical packages
• chore: full install-surface proof for workspace-dep packages #487: Full install-surface proof for workspace-dependent packages

Additional follow-up

• Revisit deferred package-publishing/trust items when those packages are published
• Continue routine documentation and package-surface polish as needed