docs: post-cutover + Kuzu 0.11 sweep (CLAUDE/PROJECT_SUMMARY/AGENTS/SECURITY/CHANGELOG)

[aksOps]

Summary

Stale doc references after Phase 6 (Java deletion, #132) and the Kuzu 0.7.1 → 0.11.3 bump (#155, #159).

File	Change
`CLAUDE.md`	Bump Kuzu 0.7.1 → 0.11.3, go-sqlite3 1.14.22 → 1.14.44, cobra to 1.10.2; mention native FTS in the tech-stack list. (Capability matrix in the gotchas section was already updated by #159.)
`PROJECT_SUMMARY.md`	Same version bumps + note `QUERY_FTS_INDEX` is bundled.
`AGENTS.md`	Rewrite "What this repo is" (no more "REST API"). Flip the test contract from `mvn -B -ntp clean verify` to `go test ./...`. Replace "REST API on the `serve` path do not mutate" with a clear "Read-only MCP server" rule that calls out the REST + React SPA deletion at Phase 6 cutover.
`SECURITY.md`	Rewrite Scope. Drop the dead references to the JAR, the `serve` subcommand, the REST API, the React UI, H2, and Neo4j Embedded. New in-scope list covers every codeiq subcommand, the 10 MCP tools (with `run_cypher` mutation-gate bypass explicitly in-scope), `.codeiq/cache/` (SQLite) + `.codeiq/graph/` (Kuzu), `read_file` path sandboxing, and the release pipeline. Add the new security CI workflows (CodeQL, Semgrep, OSV-Scanner, Trivy, Gitleaks, SBOM, Socket Security) + perf-gate to the hardening references.
`CHANGELOG.md`	Populate `[Unreleased]` with the OOM-fix saga (PRs #145-#148), the five correctness fixes (#149-#153), the Kuzu 0.7.1 → 0.11.3 bump (#155-#158), the FTS migration (#159), the Dependabot rewrite (#154), and the enrich CLI knobs.

Out of scope

• README badges — already accurate (Go 1.25.10 matches the toolchain pin; 100 detectors / 35+ languages matches reality; MCP tool list already says 10).
• GitHub repo description + topics — will update via `gh repo edit` out-of-band (not a file change).

Test plan

• No code changed → nothing to test.
• All YAML / Markdown still parses (eyeballed full diff).

🤖 Generated with Claude Code