v1.6.1 — audit fixes + CI hardening

Patch release closing every issue found during a full audit pass against v1.6.0.

🔴 Critical fix

• release.py — IndexError on commits with empty subjects (e.g. bare feat:) crashed mid-flow after CHANGELOG was already written.

🟠 Other bug fixes

• release.py — substring matching miscategorized "address security issue" as a feature; replaced with Conventional Commits regex + word-boundary fallback.
• install.sh — --target ignored when paired with --agent; explicit target now preserved.
• update.sh — replaced GNU-only find -printf with portable timestamp-name sort (macOS support).
• skills-api.py — Path.cwd() made the API position-dependent; now derives REPO_DIR from __file__. Default port 5555 (was 5000, didn't match docs).
• quality-dashboard.py — activity score no longer treats the always-truthy formatted last-commit string as recency evidence.
• validate.sh — set +e → set -uo pipefail.
• Docs — port references synced to :5555.

🛡️ CI hardening

• All GitHub Actions pinned to commit SHAs across all three workflows.
• ShellCheck step added to CI (severity warning).
• New scripts/check_provenance.py enforces the origin: field on every non-submodule SKILL.md.
• install.sh --prefer NAME resolves the 5 documented duplicate-skill names (default: superpowers).
• scripts/install.sh, update.sh, validate.sh cleaned of all ShellCheck SC2145 / SC2155 warnings.
• scripts/requirements.txt declares Python deps for the helper scripts.

📈 Tests

• 22 → 28 pytest tests (6 new regression tests in test_release.py).

📊 Verification

• pytest tests/ — 28/28 ✅
• bash scripts/validate.sh — 189/189 valid ✅
• python3 scripts/check_provenance.py — 183/183 origin-tagged ✅
• ShellCheck — 0 errors, 0 warnings ✅
• All 3 GitHub Actions workflows — green ✅

Full diff: v1.6.0...v1.6.1

Skill content unchanged. No SKILL.md edited; no submodule updated.