Runtime Dependency Injection and Bash Ability

Migrated dependency management to pyproject.toml with optional groups for voice and GPU variants, eliminating separate requirements.txt files. Runtime dependencies like Playwright and voice models now install on demand via RuntimeDepsService, reducing Docker image size by 60-70%.

Simplified run.sh and install.sh by removing stamp-file logic and GPU detection scripts, relying on uv for fast installs with a pip fallback. Dev tools are now installed inline in CI rather than via requirements-dev.txt, and CodeQL is restricted to weekly runs.

Reduced CI workflows from 9 to 5 by removing obsolete release announcement, sync, and pre-push lint jobs. Fixed lint errors and security findings including SSRF DNS rebinding checks, path traversal guards, log injection sanitization, and info exposure allowlisting.

Implemented BashAbility for safe shell execution with LLM-based classification, heuristic escalation overrides, destructive command blocking, and secret stripping from environment variables. Added a pre_dispatch hook on the Ability base class to allow parameter modification before policy checks.

Updated tests by deleting dead mocks and absence assertions, rebuilding phase4 invariants for current tool scopes, and replacing MagicMock sqlite3 with real in-memory databases. Net reduction of 435 lines while passing all 1139 unit tests.

• RuntimeDepsService manages voice and Playwright installation on demand, shrinking Docker images by 60-70%.

• BashAbility adds safe shell execution with LLM classification, escalation overrides, and secret stripping via a new pre-dispatch hook.

• Migrated to pyproject.toml optional groups for voice/GPU variants, removing all requirements.txt files and stamp-file logic.

• CI workflows reduced from 9 to 5; lint fixes address SSRF DNS rebinding, path traversal, log injection, and info exposure vulnerabilities.

• Test suite cleanup removed dead mocks and absence assertions (-435 LOC) while rebuilding phase4 invariants; all 1139 unit tests pass.