Add SpecLeft skill file security and integrity workflow (#95)

[Dimwiddle]

Description

This PR implements the SpecLeft skill-file feature and hardens SKILL.md handling with explicit integrity tooling.

What was implemented

• Added a dedicated specleft skill command group:
  • specleft skill verify (integrity verification)
  • specleft skill update (regenerate SKILL artifacts)
• Added skill integrity utilities in src/specleft/utils/skill_integrity.py:
  • SHA-256 checksum generation for .specleft/SKILL.md
  • Sidecar checksum file .specleft/SKILL.md.sha256
  • Integrity statuses: pass, modified, outdated
  • Tamper signal when commands contain shell metacharacters
  • Read-only permissions (chmod 444) for generated skill files
• Updated specleft init:
  • Generates SKILL checksum artifacts
  • Idempotent when .specleft/SKILL.md already exists (warn + continue, exit 0)
  • Dry-run JSON includes skill_file_hash
• Added doctor --verify-skill delegation to include skill integrity checks in diagnostics.
• Extended contract payload guarantees under guarantees.skill_security:
  • skill_file_integrity_check
  • skill_file_commands_are_simple
• Updated canonical skill docs/template:
  • docs/SKILL.md
  • src/specleft/templates/skill_template.py
• Added feature spec and scenario mappings for skill integrity:
  • features/feature-skill-integrity.md
  • Decorated tests/commands/test_skill.py tests with @specleft(...) metadata

Files of interest

• src/specleft/commands/skill.py
• src/specleft/utils/skill_integrity.py
• src/specleft/commands/init.py
• src/specleft/commands/doctor.py
• src/specleft/commands/contracts/payloads.py
• tests/commands/test_skill.py
• features/feature-skill-integrity.md
• docs/SKILL.md

Testing

• make lint (ruff + mypy + black --check) passed
• make test passed (448 passed)

Related Issues

Closes #95