Fix packer template audit drift

[NWarila]

Summary

• update org governance workflow pins and mirror sources to the amended NWarila/.github baseline
• sync eligible org ADR 0011 and shared docs/diagram sources while removing stale missing ADR references
• add bounded retry handling to pinned CI tool downloads and document workflow permission scopes

Verification

• python tools/check_baseline_manifest.py
• python tools/check_docs_layout.py
• python tools/check_adr_schema.py
• relative Markdown link check
• actionlint
• zizmor --persona pedantic .github/workflows
• markdownlint-cli2 **/*.md
• opa test policies/opa
• python tools/verify.py ruff
• python tools/verify.py test
• python tools/verify.py privileged-workflows
• python tools/verify.py docs-diff
• python tools/verify.py packer-syntax
• python tools/verify.py plugin-provenance
• python tools/verify.py plugin-install-check
• python tools/verify.py validate
• python tools/verify.py inspect
• python tools/verify.py manifest-check
• workflow action SHA resolver: 12 external pins resolved

Local note: the Windows Packer build path stopped at the unchanged git data source before artifact policy evaluation; the Linux PR check is expected to provide the integration proof.