feat(stability): finalize v1 security and cli baseline

[typelicious]

What changed

• hardens the dashboard with a CSP based on content hashes instead of unsafe-inline
• reduces client-facing leakage of upstream provider failure details by returning sanitized attempt summaries
• validates provider base_url trust boundaries so non-local upstreams must use https
• adds a documented v1.0.0 security review with findings, mitigations, and residual risks
• adds the separate npm CLI package under packages/foundrygate-cli
• updates README, publishing, integrations, roadmap, releases, and security docs to match the stable baseline

Why

This is the single technical slice for the v1.0.0 gate. It closes the remaining security-review items, documents the release decision, and introduces the separate npm-facing CLI without rewriting the Python gateway runtime.

How verified

• PYTHONPYCACHEPREFIX="$PWD/.pycache" python3 -m compileall foundrygate tests
• PYTHONPATH=. ./.venv-check-313/bin/pytest -q
• ./.venv-check-313/bin/ruff check foundrygate tests
• ./.venv-check-313/bin/ruff format --check foundrygate tests
• ./.venv-check-313/bin/python -m build --no-isolation
• ./.venv-check-313/bin/python -m twine check dist/*
• /opt/homebrew/bin/node packages/foundrygate-cli/bin/foundrygate.js --help
• cd packages/foundrygate-cli && npm_config_cache=/tmp/foundrygate-npm-cache PATH=/opt/homebrew/bin:$PATH /opt/homebrew/bin/npm pack --dry-run
• PATH=/opt/homebrew/bin:$PATH /usr/bin/git diff --check