chore: add explicit accessibility and security PR checklists and align saved replies

.github/PULL_REQUEST_TEMPLATE/README.md

@@ -65,7 +65,7 @@ These templates integrate with:
 1. **Template Selection**: Choose the template that best matches your PR type
 2. **Required Fields**: Complete all required sections in the template
 3. **Branch Naming**: Follow the [branching strategy](../docs/BRANCHING_STRATEGY.md) for automatic detection
-4. **A11y & Security**: Complete the WCAG 2.1 AA+ and OWASP-aligned checklist items before review
+4. **A11y & Security**: Complete the WCAG 2.2 AA and OWASP-aligned checklist items before review
 5. **Automation**: Let the system handle labeling and assignment - avoid manual changes
 
 ## ⚠️ Important Notes

.github/PULL_REQUEST_TEMPLATE/pr_docs.md

@@ -85,7 +85,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t
   - [ ] Semantic HTML and heading order verified
   - [ ] Keyboard navigation and visible focus states verified
   - [ ] ARIA used only where needed
-  - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher)
+  - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA)
 - [ ] Docs/readme/changelog updated (if user-facing)
 - [ ] Security checklist completed (where relevant):
   - [ ] Untrusted input validated and sanitised

.github/PULL_REQUEST_TEMPLATE/pr_feature.md

@@ -68,7 +68,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t
   - [ ] Semantic HTML and heading order verified
   - [ ] Keyboard navigation and visible focus states verified
   - [ ] ARIA used only where needed
-  - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher)
+  - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA or higher)
 - [ ] Docs/readme/changelog updated (if user-facing)
 - [ ] Security checklist completed (where relevant):
   - [ ] Untrusted input validated and sanitised

.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md

@@ -75,7 +75,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t
   - [ ] Semantic HTML and heading order verified
   - [ ] Keyboard navigation and visible focus states verified
   - [ ] ARIA used only where needed
-  - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher)
+  - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA)
 - [ ] Docs/readme/changelog updated (if user-facing)
 - [ ] Security checklist completed (where relevant):
   - [ ] Untrusted input validated and sanitised

.github/PULL_REQUEST_TEMPLATE/pr_refactor.md

@@ -97,7 +97,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t
   - [ ] Semantic HTML and heading order verified
   - [ ] Keyboard navigation and visible focus states verified
   - [ ] ARIA used only where needed
-  - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher)
+  - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA)
 - [ ] Docs/readme/changelog updated (if user-facing)
 - [ ] Security checklist completed (where relevant):
   - [ ] Untrusted input validated and sanitised

.github/PULL_REQUEST_TEMPLATE/pr_release.md

@@ -70,7 +70,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t
   - [ ] Semantic HTML and heading order verified
   - [ ] Keyboard navigation and visible focus states verified
   - [ ] ARIA used only where needed
-  - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher)
+  - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA)
 - [ ] Docs/readme/changelog updated (if user-facing)
 - [ ] Security checklist completed (where relevant):
   - [ ] Untrusted input validated and sanitised

.github/SAVED_REPLIES/pull-requests/security.md

@@ -17,14 +17,16 @@ Thank you for your contribution! Since this PR touches security-sensitive areas
 
 **Checklist:**
 
-- [ ] Validate and sanitize all user input
+- [ ] Validate and sanitise all untrusted input
+- [ ] Escape output for the correct rendering context
+- [ ] Enforce nonce and capability checks for privileged actions
 - [ ] Avoid exposing secrets or sensitive data
-- [ ] Follow least privilege for permissions and tokens
 - [ ] Add or update security tests if appropriate
 
 **Resources:**
 
-- [Security Guidelines](.github/instructions/security.md)
+- [PR Security Baseline](../../instructions/pull-requests.instructions.md#6-pr-review--lifecycle)
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
 
 If you have questions about security best practices, please ask!
 ```
@@ -41,7 +43,9 @@ Thank you for your PR. We've identified a potential security vulnerability in th
 **What to Address:**
 
 - Ensure no secrets or credentials are exposed
-- Validate all user input and outputs
+- Validate and sanitise untrusted input
+- Escape output for the correct rendering context
+- Add nonce/capability checks where privileged actions are involved
 - Avoid command injection, directory traversal, or similar risks
 
 Once these concerns are addressed, let us know so we can proceed with merging.

.github/SAVED_REPLIES/pull-requests/testing.md

@@ -19,7 +19,7 @@ Thank you for your contribution! Before we can merge this PR, we need to ensure
 
 - Add or update automated tests to cover your changes
 - Tests should verify both typical use and edge cases
-- Please follow our [testing guidelines](.github/instructions/bats-tests-and-runner-scripts.md)
+- Please follow our [testing guidelines](../../instructions/quality-assurance.instructions.md)
 
 **Checklist:**
 
@@ -48,7 +48,7 @@ Thanks for including tests in this PR! There are a few ways we can improve test
 
 **Resources:**
 
-- [Testing Guidelines](.github/instructions/bats-tests-and-runner-scripts.md)
+- [Quality Assurance Instructions](../../instructions/quality-assurance.instructions.md)
 
 If you have questions about these suggestions, let us know!
 ```

.github/pull_request_template.md

@@ -141,7 +141,7 @@ Include:
   - [ ] Semantic HTML and heading order verified
   - [ ] Keyboard navigation and visible focus states verified
   - [ ] ARIA used only where needed
-  - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher)
+  - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA)
 - [ ] Docs/readme/changelog updated (if user-facing)
 - [ ] Security checklist completed (where relevant):
   - [ ] Untrusted input validated and sanitised

docs/PR_CREATION_PROCESS.md

@@ -114,7 +114,7 @@ Each PR template includes a checklist. Ensure you:
 - [ ] Ran all tests and linters
 - [ ] Updated documentation (if needed)
 - [ ] Added/updated tests
-- [ ] Completed accessibility checks (semantic structure, keyboard/focus, ARIA only when needed, contrast/non-colour cues; WCAG 2.1 AA or higher)
+- [ ] Completed accessibility checks (semantic structure, keyboard/focus, ARIA only when needed, contrast/non-colour cues; WCAG 2.2 AA)
 - [ ] Completed security checks (validation/sanitisation, context-specific escaping, nonce/capability checks where relevant, and OWASP risk review)
 - [ ] Linked issues
 - [ ] Provided screenshots or video (for UI changes)