Add arm64 seccomp support

[cwage]

Follow-up from #6. The 0.1 release ships linux/amd64 only because the seccomp BPF filter (seccomp.go) is hardcoded to AUDIT_ARCH_X86_64 and uses a single blockedSyscallsAmd64 table. capabilities.go (detectCapabilities) marks seccomp unavailable on non-amd64 and requiredFor("untrusted") makes seccomp mandatory, so an arm64 build currently compiles but refuses to run.

What to do

• Split seccomp.go into per-arch files via build tags:
  • seccomp_amd64.go — existing AUDIT_ARCH_X86_64 constant + syscall list
  • seccomp_arm64.go — AUDIT_ARCH_AARCH64 (0xC00000B7) + arm64 syscall list
  • Shared BPF emitter stays in seccomp.go
• Update detectCapabilities so seccomp reports available on arm64 too.
• Extend the release workflow to build/publish linux/arm64 alongside linux/amd64.

Testing

Realistic test targets: Raspberry Pi 4/5 running 64-bit Raspberry Pi OS, AWS Graviton instances, Apple Silicon via Lima/OrbStack. Absent arm64 hardware, qemu-user-static can smoke-test agentpen --check in a cross-arch container.

Low urgency — not blocking 0.1.