Harden chronus workflows: SHA-pinned actions, base-branch tooling, tighter perms

- Pin actions/checkout, setup-node, github-script to SHA + version comment.
- chronus-fix: restore .github/chronus from base branch before npm ci/run,
  so PR-head changes to the tooling cannot execute under the write token.
- persist-credentials: false on both checkouts; push uses an explicit
  x-access-token URL only at push time.
- Permissions: verify drops pull-requests:write for issues:write only;
  fix drops pull-requests:write to pull-requests:read.
- Slash command parsed by strict regex; rejects /chronus additive etc.
- Add concurrency groups on both workflows.
- Consolidate 4 small github-script steps into one auth+metadata step.
- Merge 4 terminal reply steps into one always() switch step.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Libba Lawrence