fix(install): validate app before installing — refuse write-without-safety

[pawellisowski]

What

aware app install now refuses apps with validation errors — specifically write-mode nodes missing a safety: block — instead of installing them and failing at run time.

Repro fixed

$ aware app install ./nosafety
✗ [E_APP_WRITE_WITHOUT_SAFETY] node "post" (microsoft-365 / teams.channel.post-message) is write-mode without a `safety:` block
error: app install refused: app failed validation (fix errors above and retry)

$ ls ~/.aware/apps/nosafety   # nothing written
ls: cannot access ...         # correct — install-dir never created

How

In install(), before calling install_app_from_path (which copies files), the source manifest is loaded and passed through validate_app + validate_app_safety — the same checks validate_cmd runs. If any errors are found, they are printed to stderr and the function returns early with an error. Nothing is written to ~/.aware.

Warnings don't block install (same policy as validate — only errors do).

Fixes #134