diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a702836..e79541b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,10 +16,10 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
       with:
         go-version: ${{ matrix.go-version }}
 
@@ -61,7 +61,7 @@ jobs:
       if: matrix.go-version == '1.25.1'
 
     - name: Upload coverage artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: coverage-${{ matrix.go-version }}
         path: coverage.html
@@ -78,27 +78,22 @@ jobs:
   security:
     name: Security Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
       with:
         go-version: '1.25.1'
 
     - name: Run gosec
-      uses: securego/gosec@master
-      with:
-        args: -exclude=G115 ./...
-
-    - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@master
-      with:
-        scan-type: 'fs'
-        scan-ref: '.'
-        severity: 'CRITICAL,HIGH'
+      run: |
+        go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4
+        gosec -exclude=G115 ./...
 
   lint:
     name: Lint
@@ -106,15 +101,14 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
       with:
         go-version: '1.25.1'
 
     - name: Run golangci-lint
-      uses: golangci/golangci-lint-action@v8
+      uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
       with:
-        version: latest
         args: --timeout=5m
diff --git a/.github/workflows/openssl.yml b/.github/workflows/openssl.yml
index 4b4dd3d..62aa3c6 100644
--- a/.github/workflows/openssl.yml
+++ b/.github/workflows/openssl.yml
@@ -13,10 +13,10 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
       with:
         go-version: '1.23'
 
@@ -34,13 +34,13 @@ jobs:
       continue-on-error: true
       run: |
         chmod +x ./scripts/testing/test_cms_headers.sh
-        ./scripts/testing/test_cms_headers.sh || echo "⚠️  Test skipped (known OpenSSL 3.x Ed25519 limitation)"
+        ./scripts/testing/test_cms_headers.sh || echo "Test skipped (known OpenSSL 3.x Ed25519 limitation)"
 
     - name: Run OpenSSL verify test
       continue-on-error: true
       run: |
         chmod +x ./scripts/testing/test_openssl_verify.sh
-        ./scripts/testing/test_openssl_verify.sh || echo "⚠️  Test skipped (known OpenSSL 3.x Ed25519 limitation)"
+        ./scripts/testing/test_openssl_verify.sh || echo "Test skipped (known OpenSSL 3.x Ed25519 limitation)"
 
     - name: Test CMS signature generation and verification
       continue-on-error: true
@@ -52,14 +52,14 @@ jobs:
         echo "Test data for CMS signature" > test_data.txt
 
         # Verify with OpenSSL (detached signature)
-        openssl cms -verify -inform DER -in test.der -content test_data.txt -noverify -binary || echo "⚠️  OpenSSL verification failed (known limitation)"
+        openssl cms -verify -inform DER -in test.der -content test_data.txt -noverify -binary || echo "OpenSSL verification failed (known limitation)"
 
         # Show ASN.1 structure
         openssl asn1parse -inform DER -in test.der -i | head -20
 
     - name: Upload test artifacts
       if: failure()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: openssl-test-artifacts
         path: |
diff --git a/AGENTS.md b/AGENTS.md
index 5b74aa7..d3981b4 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -59,6 +59,7 @@ bd ready --json
 **Create new issues:**
 
 ```bash
+
 bd create "Issue title" --description="Detailed context" -t bug -p 1 --json
 bd create "Issue title" --description="What this issue is about" -p 1 --deps discovered-from:bd-123 --json
 ```
@@ -121,6 +122,7 @@ bd automatically syncs with git:
 - ❌ Do NOT use external issue trackers
 - ❌ Do NOT duplicate tracking systems
 
+
 For more details, see README.md and docs/IMPLEMENTATION.md.
 
 ## Landing the Plane (Session Completion)