Wire runtime guard evidence into static analysis queue

[svy04]

Summary

• Move the two credential dead-export triage records from unresolved needs_runtime_guard to runtime_guarded with linked runtime behavior evidence.
• Teach the static-analysis remediation queue to keep runtime-guarded candidates out of the unresolved P1 queue while still recording them as guarded evidence.
• Keep deletion, autofix, cleanup-completion, public-readiness, and external-validation claims blocked.

Source-first basis

• Knip JSON reporter remains a candidate feed, not deletion authority.
• dependency-cruiser/jscpd findings remain remediation queues, not automatic refactor claims.
• SSDF-style artifact evidence is modeled as linked validation commands and bounded claim language.

Verification

• RED observed before implementation:
  • bun test scripts/product-dead-export-candidates.test.ts
  • bun test scripts/product-static-analysis-remediation-queue.test.ts
• GREEN / target checks:
  • bun test scripts/product-dead-export-candidates.test.ts
  • bun test scripts/product-static-analysis-remediation-queue.test.ts
  • bun test src/services/api/providerConfig.runtimeCodexCredentials.test.ts src/utils/geminiCredentials.test.ts
  • bun run product:dead-export-candidates
  • bun run product:static-analysis-remediation-queue
  • bun run typecheck --pretty false
  • bun test scripts/product-dead-export-candidates.test.ts scripts/product-static-analysis-remediation-queue.test.ts src/services/api/providerConfig.runtimeCodexCredentials.test.ts src/utils/geminiCredentials.test.ts
  • bun run product:quality
  • git diff --cached --check
  • staged local-path/secret scan over git diff --cached

Notes

• bun run scripts/product-quality-gate.ts failed when run alone before full product generation because prerequisite ignored JSONL reports were absent and trace reports had not been regenerated. The full bun run product:quality command generated prerequisites and passed.
• The worktree has unstaged product-quality report churn from the full local gate; this PR intentionally commits only the runtime-guard/static-analysis evidence slice.