[codex] Bump proof-pr dogfood to v0.2.12

[saagpatel]

Summary

• Bump the advisory proof-pr reusable workflow and install docs to v0.2.12.
• Add the explicit local --example "Test-only maintenance" authoring flag.
• Add optional producer.example_pattern metadata to the committed dogfood receipt so the workflow summary exercises the new rendered Pattern: line.

Validation

• proof-pr v0.2.12 validate proof-pr.json
• proof-pr v0.2.12 render proof-pr.json --head-sha 816313001c949f50e737d4b6fb6a7ae42e26a1c2 includes Pattern: Workflow dogfood.

Proof Bundle

Risk: T3
Receipt: proof-pr.v1 for 816313001c949f50e737d4b6fb6a7ae42e26a1c2
Decision: ready_with_operator_awareness
Pattern: Workflow dogfood via examples/pr-087-github-repo-auditor-dogfood.json (explicit)

Evidence:

• proof-pr-validate: 'proof-pr validate proof-pr.json' -> passed (Committed receipt validates against proof-pr.v1 schema.)
• proof-pr-render: 'proof-pr render proof-pr.json' -> passed (Receipt renders into the standard Markdown PR block.)
• workflow-yaml: 'ruby -e "require '"'"'yaml'"'"'; YAML.load_file('"'"'.github/workflows/proof-pr.yml'"'"')"' -> passed (New workflow YAML parses.)
• public-fixture-proof-package: PYTHONDONTWRITEBYTECODE=1 python3 scripts/validate_proof_package.py docs/demo-proof/public-fixture/proof-package.json ... (1 args; full command in receipt) -> passed (Existing public fixture proof package remains valid.)
• secrets-scan: 'gitleaks detect --source . --no-banner --redact --verbose' -> passed (No leaks found in the dogfood worktree.)
• public-boundary-scan: passed (No private repo names, local paths, personal email, or token prefixes found in the new public dogfood files.)
• full-test-suite: skipped (No Python source, package metadata, or generated truth surface changed.)
• screenshots: not_applicable (No UI, workbook, dashboard, or visual artifact changed.)
• public-git-metadata: proof-pr check-public-git-metadata --ref HEAD --base-ref origin/main --summary-format text -> passed (Public git metadata checked in introduced mode for origin/main..HEAD; legacy history and tags were not in scope; findings=0.)
• secrets: passed (Gitleaks scan found no leaks.)
• permissions: passed (New workflow grants explicit read-only permissions: contents: read and actions: read.)
• redaction: not_applicable (No screenshots or generated portfolio artifacts are included in this PR.)
• rollback: documented (Revert this PR or remove .github/workflows/proof-pr.yml and proof-pr.json.)

Known gaps:

• The committed receipt uses pending-pr-head because a receipt committed in the same change cannot know its final commit SHA before the commit exists.
• PR number and PR URL should be reflected in the pull request proof block after PR creation.
• The workflow is manual-only for dogfood; pull_request enforcement is intentionally deferred.

Anchoring:

• Receipt JSON head: pending-pr-head (pending_commit)
• Rendered PR/check anchor: 816313001c949f50e737d4b6fb6a7ae42e26a1c2