feat(recipe-report): newspaper front-page layout — editorial lead + CVE security bulletin first

Masthead + opus 'lead' editorial (overall fleet state + what to focus on), a Security Bulletin of
critical-CVE upgrades up top (mined from per-recipe upgrade_notes_md), then needs-attention/routine,
and the comprehensive table as 'the full wire' at the end. survey now includes each recipe's
upgrade_notes_md (breaking-change/CVE analysis) so opus can lead with security.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.claude/skills/recipe-report/SKILL.md

@@ -20,19 +20,26 @@ Helper: `python3 /srv/cc-ci/cc-ci-plan/recipe-report.py {survey|render|publish}`
    `/srv/cc-ci/.cc-ci-logs/upgrades/upgrade-all-<DATE>.md`.
 
 2. **Survey.** `python3 /srv/cc-ci/cc-ci-plan/recipe-report.py survey <DATE> > /tmp/survey.json`. This
-   gives you the raw `/upgrade-all` summary markdown plus, for every recipe mirror, its open PRs and the
-   `cc-ci/testme` CI verdict on each PR head. Read it all.
+   gives you: the raw `/upgrade-all` summary; for every recipe mirror its open PRs + the `cc-ci/testme`
+   verdict; and each recipe's **per-recipe upgrade notes** (`upgrade_notes_md` — the breaking-change /
+   **CVE / security** analysis the upgrade did). Read it all.
 
-3. **Review & classify.** Judge the run and the recipe/PR state. Sort everything into:
-   - **Needs attention** — PRs that are GREEN and ready to merge, and errors/failures to investigate
-     (RED `!testme`, recipe bugs, anything blocking). Lead with these. Short, specific prose per item.
-   - **Routine** — minor/clean bumps, stale-test PRs (need operator `--with-tests`), up-to-date or
-     skipped-by-design. Brief.
-   Also flag cross-cutting issues (e.g. a recipe ending with two open PRs to reconcile).
+3. **Review & classify — this is a front page, write it like an editor.**
+   - **Security first.** Scan the per-recipe `upgrade_notes_md` + the summary (and use your own knowledge
+     of the version bumps) for upgrades that fix **CVEs / security issues**. Anything **critical/high**
+     leads the page → the `security` bulletin (recipe · CVE id(s) + severity · what it fixes · PR link).
+     This is the most important section; be specific about severity and what's exposed if not merged.
+   - **Lead / editorial.** Write a short `lead` (2–4 short paragraphs): the **overall state of the recipe
+     fleet** this week (how healthy, what moved, any worrying trend) and **specific, opinionated
+     suggestions of what to focus on** — like a newspaper lead. This is opus's voice; be useful, concrete.
+   - **Needs attention** — GREEN PRs ready to merge + errors/failures to investigate (RED `!testme`,
+     recipe bugs). Short, specific prose + links. Flag cross-cutting issues (e.g. two open PRs to reconcile).
+   - **Routine** — minor/clean bumps, stale-test PRs (need operator `--with-tests`), up-to-date / skipped.
 
 4. **Write the spec** `/tmp/report-spec.json` (shape in the helper header): `date`, `subtitle`
-   ("Week of <human date>"), a one-line `headline`, `needs_attention[]`, `routine[]`, and a
-   **comprehensive `table[]`** with EVERY recipe (`recipe`, `change` "a → b", `status`
+   ("Week of <human date>"), `lead` (the editorial, blank-line-separated paragraphs), `security[]`
+   (critical-CVE upgrades — may be empty), `needs_attention[]`, `routine[]`, and a **comprehensive
+   `table[]`** with EVERY recipe (`recipe`, `change` "a → b", `status`
    GREEN/STALE/FAILED/SKIPPED/UPTODATE, `ci` as a level/result number+info string e.g. `build 154 ✓`
    or `RED · restore` with `ci_url`, `pr`/`pr_url`, `notes`). **CI = link + number/info only; no images.**