fix: address Copilot PR review comments on governance-audit hook

- Switch from colon to tab delimiter to handle colons in evidence text
- Base64-encode evidence to prevent parsing issues
- Use MAX_SEVERITY in log output and JSON events
- Narrow regex patterns to reduce false positives:
  - third[_-]?party instead of third.?party
  - Role reassignment scoped to AI terms
  - System prompt injection requires 'you are' context
- Fix session-end stats to scope to current session only
- Update privacy statement to clarify evidence snippets are logged
- Rename credential description to 'Possible hardcoded credential'
- Fix database destruction regex to also match semicolons

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

hooks/governance-audit/audit-session-end.sh

@@ -15,12 +15,21 @@ mkdir -p logs/copilot/governance
 TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
 LOG_FILE="logs/copilot/governance/audit.log"
 
-# Count events from this session
+# Count events from this session (filter by session start timestamp)
 TOTAL=0
 THREATS=0
+SESSION_START=""
 if [[ -f "$LOG_FILE" ]]; then
-  TOTAL=$(wc -l < "$LOG_FILE" 2>/dev/null || echo 0)
-  THREATS=$(grep -c '"threat_detected"' "$LOG_FILE" 2>/dev/null || echo 0)
+  # Find the last session_start event to scope stats to current session
+  SESSION_START=$(grep '"session_start"' "$LOG_FILE" 2>/dev/null | tail -1 | jq -r '.timestamp' 2>/dev/null || echo "")
+  if [[ -n "$SESSION_START" ]]; then
+    # Count events after session start
+    TOTAL=$(awk -v start="$SESSION_START" -F'"timestamp":"' '{split($2,a,"\""); if(a[1]>=start) count++} END{print count+0}' "$LOG_FILE" 2>/dev/null || echo 0)
+    THREATS=$(awk -v start="$SESSION_START" -F'"timestamp":"' '{split($2,a,"\""); if(a[1]>=start && /threat_detected/) count++} END{print count+0}' "$LOG_FILE" 2>/dev/null || echo 0)
+  else
+    TOTAL=$(wc -l < "$LOG_FILE" 2>/dev/null || echo 0)
+    THREATS=$(grep -c '"threat_detected"' "$LOG_FILE" 2>/dev/null || echo 0)
+  fi
 fi
 
 jq -Rn \