feat: v3.1.0 — security hardening, cross-harness compatibility, README rewrite

Security (8 fixes):
- CRITICAL: eliminate all bash -c in dep-scan.cjs, use spawnSync with argv
- MEDIUM: fix TOCTOU race in fix-lock.cjs acquire()
- MEDIUM: harden worktree manifest validation (fixBranch + worktreeDir match)
- LOW: prototype pollution guard in schema-runtime.cjs resolveRef()
- LOW: OOM guards in triage.cjs (5MB) and bug-hunter-state.cjs (10MB)
- LOW: graceful fallback when rg not installed

Cross-harness (7 improvements):
- Unify prompts/ → skills/*/SKILL.md as canonical source
- Abstract 25+ Claude-specific tool names to functional phrasing
- Create modes/loop-generic.md for non-ralph agents
- Expand installer to 8 agents (add copilot, windsurf, opencode)
- Generalize EnterWorktree/ExitWorktree references
- Add Option C2 for native-dispatch agents
- Make Node.js optional with graceful degradation

Code quality:
- Extract shared.cjs (18+ deduped utility functions)
- Remove login shell overhead (bash -lc → -c)
- Fix throw-JSON anti-pattern in worktree-harvest.cjs

README rewritten from 797 → 197 lines. 113/113 tests pass.

Author: actions-user