mq-mcp v1.9.0 — Tool quality gaps fixed

What's new

• Fixed _detect_security_patterns false positives: Python string literals are now blanked via tokenize before pattern matching.
• Added list_review_skills MCP tool (Class A) — lists available review skills with path-prefix routes, extension routes, and availability status.
• Added ADR-006: documents risk analysis tools pre-scan rationale, CRITICAL severity scope, and string-literal stripping.
• Added §8 WARN acceptance policy to docs/ORCHESTRATION_CONTRACT.md — table defining when each WARN is acceptable vs. requires action.
• Added check 7 to validate_orchestration_contract: Class C tools not in any profile and not in _INTENTIONALLY_PROFILE_FREE emit WARN.
• Fixed missing import re at module level in server.py.
• Tool count: 75 → 76.

Phase 1 (version signal sync)

• README version badge synced to 1.9.0.
• README status line updated to v1.9.0.
• docs/tool_contracts.json version synced to 1.9.0.
• .gitignore now excludes .mypy_cache/.
• All missing tools added to README: list_review_skills, risk_review_file, risk_review_diff, export_symbol_index, repo_signal_status.
• ./scripts/validate.sh passes green.