fix(security): restore security best practices from portal (1:1 port)

[marc0olo]

Background

The security team flagged that the current docs/guides/security/ section contains AI-generated rewrites that diverge from the carefully reviewed portal best practices. At least one correctness bug was identified in inter-canister-calls.md (a refund after a bounded_wait error where the transfer could still have gone through, causing a double spend). The security best practices represent significant work and review effort — "almost right" is not acceptable for security content.

What happened

The portal had 13 focused best-practices files in a strict Security concern / Recommendation format. Those were replaced with 6 rewritten files in a tutorial style. Additionally, 2 prerequisite reference pages were never ported.

Scope of this issue

Replace rewritten content with portal source (1:1 port, keep existing file names)

Current file	Portal source	Action
guides/security/access-management.mdx	building-apps/security/iam.mdx	Replace content
guides/security/inter-canister-calls.md	building-apps/security/inter-canister-calls.mdx	Replace content (contains correctness bug)
guides/security/data-integrity.md	building-apps/security/data-integrity-and-authenticity.mdx	Replace content
guides/security/canister-upgrades.md	building-apps/security/canister-upgrades.mdx	Replace content
guides/security/dos-prevention.md	building-apps/security/dos.mdx	Replace content

Add missing topic files

File to create	Portal source
guides/security/overview.md	building-apps/security/overview.mdx
guides/security/data-storage.md	building-apps/security/data-storage.mdx
guides/security/decentralization.md	building-apps/security/decentralization.mdx
guides/security/formal-verification.md	building-apps/security/formal-verification.mdx
guides/security/https-outcalls.md	building-apps/security/https-outcalls.mdx
guides/security/misc.md	building-apps/security/misc.mdx
guides/security/observability.md	building-apps/security/observability-and-monitoring.mdx
guides/security/resources.md	building-apps/security/resources.mdx

Add missing prerequisite reference pages

File to create	Portal source	Rationale
references/message-execution-properties.md	references/message-execution-properties.mdx	Pure reference: the IC's 5 message execution properties. Prerequisites reading for the inter-canister-calls security page.
guides/canister-calls/idempotency.md	building-apps/best-practices/idempotency.mdx	Calling pattern (retry safety for bounded-wait calls and ingress messages), not a security rule. Lives next to inter-canister-calls.mdx and calling-from-clients.md. Cross-linked from guides/security/inter-canister-calls.md.

Out of scope for this issue (separate follow-ups)

• guides/security/encryption.mdx — new content covering vetKeys, not in portal. Keep as-is, flag for security team review.
• concepts/security.md — new architectural overview page, not in portal. Keep as-is, flag for security team review.
• JS SDK references (@dfinity/agent) — leave as-is in this PR; a separate issue will cover SDK modernization.

Adaptation rules

Only mechanical changes are allowed in this port — no content judgment:

• Remove Docusaurus MDX component imports (MarkdownChipRow, AdornedTabs, etc.)
• Convert mo:base imports to mo:core equivalents per project rules
• Fix internal links to match current site structure
• Add Astro/Starlight frontmatter (title, description)
• No rewriting, summarizing, or restructuring of security guidance

Acceptance criteria

• All 5 rewritten files replaced with portal content
• All 8 missing topic files added
• references/message-execution-properties.md added
• guides/canister-calls/idempotency.md added, cross-linked from guides/security/inter-canister-calls.md
• npm run build passes
• Security team spot-check confirms content matches portal