Wire scan-plugins to the detailed policy prompt

Adds .github/policy/prompt.md and schema.json (the full security
review rubric — malicious code, privacy, deception, safety
circumvention, exfiltration; plus network-call and software-install
flags) and points scan-plugins at it via the policy-prompt input.

With ANTHROPIC_API_KEY now configured on the repo, scan-plugins runs
the actual policy review on changed external entries instead of
no-op'ing.

.github/workflows/scan-plugins.yml

@@ -16,9 +16,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      # Non-blocking by default. Graceful no-op if ANTHROPIC_API_KEY is not
-      # configured on the repo. To enforce, set fail-on-findings: "true".
+      # Non-blocking by default. To enforce, set fail-on-findings: "true".
       - uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@f846a0bcb0e721b1f93d60e8b73e91dafc4a1e87
         with:
           anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
+          policy-prompt: .github/policy/prompt.md
           claude-cli-version: latest