fix(ci): correct image digest separator

.wave/pipelines/ops-release-harden.yaml

@@ -0,0 +1,35 @@
+kind: WavePipeline
+metadata:
+  name: ops-release-harden
+  description: "Security scan, branch on severity, apply hotfixes, generate changelog"
+  category: composition
+  release: true
+
+input:
+  source: cli
+  example: "v1.0.0"
+  schema:
+    type: string
+    description: "Release version or branch to harden"
+
+steps:
+  - id: scan
+    pipeline: audit-security
+    input: "{{input}}"
+
+  - id: triage
+    dependencies: [scan]
+    branch:
+      on: "{{scan.output.risk_level}}"
+      cases:
+        critical: impl-hotfix
+        high: impl-hotfix
+        medium: impl-improve
+        low: skip
+
+  - id: gate
+    dependencies: [triage]
+    gate:
+      type: approval
+      message: "Review security fixes before release"
+      timeout: "4h"