docs(security): SEC-1.i/.j helpers shipped — trim pending list, propose SEC-1.p Landlock defense-in-depth

[oferchen]

Summary

• Move SEC-1.i (PR feat(fast_io): fchmodat/fchownat/utimensat sandbox helpers (SEC-1.i) #4690, fchmodat/fchownat/utimensat) and SEC-1.j (PR feat(fast_io): renameat sandbox helper (SEC-1.j) #4693, renameat) from the Remaining-work list into the Shipped list with explicit PR references.
• Update both CVE-2026-29518 and CVE-2026-43619 table rows to reflect "all *at helpers shipped" with receiver wiring tracked separately, so the headline status field is accurate without overclaiming.
• Add SEC-1.p Landlock LSM defense-in-depth as a PROPOSED next layer (Linux 5.13+, kernel-side enforcement that complements the userspace *at helpers).
• Refine the target full-Fixed criteria: receiver wiring for both SEC-1.i and SEC-1.j callers complete AND SEC-1.p ships or is closed as N/A.

Status field intentionally remains "Mostly fixed": the remaining receiver call-site wiring follow-ups (metadata crate carrier plumbing for SEC-1.i; disk_commit / transfer_ops/response / local_copy/executor cross-thread plumbing for SEC-1.j) and the Landlock defense-in-depth layer still preclude a clean Fixed claim.

Test plan

• git diff SECURITY.md reviewed — single-file docs change, no source touched
• PR references (feat(fast_io): fchmodat/fchownat/utimensat sandbox helpers (SEC-1.i) #4690, feat(fast_io): renameat sandbox helper (SEC-1.j) #4693, docs(design): formalize SEC-1.h mknodat deferral and document re-open triggers #4694) cross-checked against today's merged history
• No references to AI tooling in the diff
• Hyphens used throughout (no em-dashes)