Rewrite recipe 3 as a generic AI security recipe

[anutron]

Summary

• Reorients recipe 3 from "build a security plugin" to "adopt and deliver a security policy." Anthropic's Organizational Instructions now handles the policy-injection job the plugin used to do, so the recipe leads with a complete starter policy and treats the plugin layers as optional.
• Adds a full starter security policy any org can lift and customize: principles, approved tools, five data-access tiers, eight rules, business platform rules, credential management, enforcement. Genericized from a real deployed policy (Thanx-specific names and tools stripped out, abstract concepts substituted).
• Keeps the optional layers from the previous recipe: hook-based guardrails (concept 2) and compliance observability backend (concept 3), now framed as additive layers on top of Organizational Instructions.
• Renames 03-security-plugin.md → 03-security.md and updates references in 00-overview.md, README.md, and site/_kit/03-recipes.md.

Test plan

• Read the new docs/claude-code-recipes/03-security.md end to end – does the policy read like something you'd actually adopt at another org without heavy rewriting?
• Check the substitutions – your data proxy, your help channel, your security owner, your org's own repos, etc. – feel natural or sound like placeholders?
• Confirm the condensed policy block (the one designed for Organizational Instructions) is at a reasonable length and reads as a drop-in.
• Verify 00-overview.md, README.md, and site/_kit/03-recipes.md link/refer to the new filename and use the new framing.
• Decide whether the image (recipe3_security-plugin-three-helpers.png) needs a rename/replacement to match the new "AI security" framing.

🤖 Generated with Claude Code