fix: CI fixes, security audit, remotion skill, lead-intelligence, npm audit (#1039)

* fix(ci): resolve cross-platform test failures

- Sanity check script (check-codex-global-state.sh) now falls back to
  grep -E when ripgrep is not available, fixing the codex-hooks sync
  test on all CI platforms. Patterns converted to POSIX ERE for
  portability.
- Unicode safety test accepts both / and \ path separators so the
  executable-file assertion passes on Windows.
- Gacha test sets PYTHONUTF8=1 so Python uses UTF-8 stdout encoding on
  Windows instead of cp1252, preventing UnicodeEncodeError on box-drawing
  characters.
- Quoted-hook-path test skipped on Windows where NTFS disallows
  double-quote characters in filenames.

* feat: port remotion-video-creation skill (29 rules), restore missing files

New skill:
- remotion-video-creation: 29 domain-specific Remotion rules covering 3D/Three.js,
  animations, audio, captions, charts, compositions, fonts, GIFs, Lottie,
  measuring, sequencing, tailwind, text animations, timing, transitions,
  trimming, and video embedding. Ported from personal skills.

Restored:
- autonomous-agent-harness/SKILL.md (was in commit but missing from worktree)
- lead-intelligence/ (full directory restored from branch commit)

Updated:
- manifests/install-modules.json: added remotion-video-creation to media-generation
- README.md + AGENTS.md: synced counts to 139 skills

Catalog validates: 30 agents, 60 commands, 139 skills.

* fix(security): pin MCP server versions, add dependabot, pin github-script SHA

Critical:
- Pin all npx -y MCP server packages to specific versions in .mcp.json
  to prevent supply chain attacks via version hijacking:
  - @modelcontextprotocol/server-github@2025.4.8
  - @modelcontextprotocol/server-memory@2026.1.26
  - @modelcontextprotocol/server-sequential-thinking@2025.12.18
  - @playwright/mcp@0.0.69 (was 0.0.68)

Medium:
- Add .github/dependabot.yml for weekly npm + github-actions updates
  with grouped minor/patch PRs
- Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)

* feat: add social-graph-ranker skill — weighted network proximity scoring

New skill: social-graph-ranker
- Weighted social graph traversal with exponential decay across hops
- Bridge Score: B(m) = Σ w(t) · λ^(d(m,t)-1) ranks mutuals by target proximity
- Extended Score incorporates 2nd-order network (mutual-of-mutual connections)
- Final ranking includes engagement bonus for responsive connections
- Runs in parallel with lead-intelligence skill for combined warm+cold outreach
- Supports X API + LinkedIn CSV for graph harvesting
- Outputs tiered action list: warm intros, direct outreach, network gap analysis

Added to business-content install module. Catalog validates: 30/60/140.

* fix(security): npm audit fix — resolve all dependency vulnerabilities

Applied npm audit fix --force to resolve:
- minimatch ReDoS (3 vulnerabilities, HIGH)
- smol-toml DoS (MODERATE)
- brace-expansion memory exhaustion (MODERATE)
- markdownlint-cli upgraded from 0.47.0 to 0.48.0

npm audit now reports 0 vulnerabilities.

* fix: resolve markdown lint and yarn lockfile sync

- MD047: ensure single trailing newline on all remotion rule files
- MD012: remove consecutive blank lines in lottie, measuring-dom-nodes, trimming
- MD034: wrap bare URLs in angle brackets (tailwind, transcribe-captions)
- yarn.lock: regenerated to sync with npm audit changes in package.json

* fix: replace unicode arrows in lead-intelligence (CI unicode safety check)

manifests/install-modules.json

@@ -273,7 +273,9 @@
         "skills/content-engine",
         "skills/investor-materials",
         "skills/investor-outreach",
-        "skills/market-research"
+        "skills/lead-intelligence",
+        "skills/market-research",
+        "skills/social-graph-ranker"
       ],
       "targets": [
         "claude",
@@ -317,6 +319,7 @@
       "description": "Media generation and AI-assisted editing skills.",
       "paths": [
         "skills/fal-ai-media",
+        "skills/remotion-video-creation",
         "skills/video-editing",
         "skills/videodb"
       ],