feat: add v0.5 onboarding and publishing baseline

[typelicious]

What changed

• add generic onboarding helpers with foundrygate-bootstrap and foundrygate-doctor
• add a publish-dry-run workflow that builds Python artifacts, runs twine check, and validates the GHCR image build without publishing
• tighten the CI package path with twine check and shell syntax validation for helper scripts
• add a sanitized client-error path for request-hook and invalid-request failures so internal exception details do not leak in API responses
• refresh README, onboarding, publishing, releases, changelog, and roadmap docs for the v0.5.0 operator baseline

Why

• make the first-run path easier for external operators who are not using the systemd-only flow
• provide a real non-destructive publish dry run for Docker and PyPI-adjacent release validation before cutting tags
• close the current CodeQL stack-trace-exposure alerts in foundrygate/main.py

How verified

• python3 -m compileall foundrygate tests
• PYTHONPATH=. ./.venv-check-313/bin/pytest -q
• ./.venv-check-313/bin/ruff check .
• ./.venv-check-313/bin/ruff format --check .
• bash -n scripts/*
• ./.venv-check-313/bin/python -m build --no-isolation
• ./.venv-check-313/bin/python -m twine check dist/*
• /usr/bin/git diff --check

GitHub state checked

• community profile is now at 100%
• private vulnerability reporting is enabled
• Dependabot security updates are enabled
• the remaining CodeQL findings addressed in this PR are the four medium py/stack-trace-exposure alerts from foundrygate/main.py

Notes

• local Docker daemon execution is still not verifiable from this workstation environment; the repo now relies on the GitHub dry-run workflow for container build validation
• the repo homepage/docs setting on GitHub still points to https://fusionaize.com; if you want the community profile docs link to point at FoundryGate docs, that repo setting should be changed separately