docs(code-reviews): add regen-readme.py to generate the review index

README.md is now generated from the per-module findings.md files by
code-reviews/regen-readme.py (discovers modules, parses each finding's
severity/status, rebuilds the Pending Findings and Module Status tables).
Run with --check to fail when README.md is stale (CI-friendly).

REVIEW-PROCESS.md section 5 now points to the script instead of describing
a manual edit, and README.md carries a generated-file banner.

code-reviews/REVIEW-PROCESS.md

@@ -91,16 +91,20 @@ drop off the base README's pending list. `Open` and `In Progress` are **pending*
 
 ## 5. Updating the base README
 
-`code-reviews/README.md` holds the single cross-module view. After any review or
-status change, update it:
+`code-reviews/README.md` holds the single cross-module view (process overview, the
+Pending Findings tables, and the Module Status table). It is **generated** from the
+per-module `findings.md` files — do not edit it by hand.
 
-1. **Pending Findings table** — add/remove rows so it lists exactly the `Open` and
-   `In Progress` findings across all modules, sorted by severity.
-2. **Module Status table** — update the row for the reviewed module (last-reviewed
-   date, commit, open-finding count, review status).
+After any review or status change, regenerate it:
 
-The base README must always agree with the per-module `findings.md` files — they are
-the source of truth; the README is the aggregated index.
+```
+python3 code-reviews/regen-readme.py
+```
+
+`regen-readme.py --check` exits non-zero if `README.md` is stale, for use in CI.
+
+The per-module `findings.md` files are the source of truth; `README.md` is the
+aggregated index and must always agree with them — which the script guarantees.
 
 ## 6. Re-reviewing a module