v3.8.2 - Renderer-aware citations + security/CI hardening

Added

• Advisory Semgrep SAST scan runs on every push/PR as part of the Security workflow, catching source-level security bugs using Semgrep CE community rules (#563)
• Scheduled OSV-Scanner vulnerability-drift workflow scans repository lockfiles weekly and uploads SARIF results to GitHub code scanning, catching newly disclosed CVEs in the dependency tree even between PRs (#571)
• LAST30DAYS_REDDIT_BACKEND=scrapecreators makes ScrapeCreators the primary Reddit backend with the public path as fallback. Users with a ScrapeCreators key who were getting shallow public data will now get full nested comment trees by setting this flag (#589)
• MCP Go tests (mcp/) now run in CI on every push/PR alongside the Python test suite, so MCP server regressions are caught before merge (#621)
• PR dependency review gate blocks merges that introduce new vulnerable dependencies (#551)

Changed

• Citations are now renderer-aware (LAW 8). On hidden-link hosts (Claude Code) every citation stays an inline [name](url) link as before; on visible-URL hosts (Codex, Cursor, Gemini CLI, raw CLI) citations render as plain source labels so the narrative no longer turns into label (https://...) URL soup. The host is detected deterministically from the CLAUDECODE environment variable, and full URLs remain reachable through the engine footer and the saved raw file.

Fixed

• The query-plan invocation guidance now warns against wrapping the heredoc in bash -lc '...' / zsh -lc '...', whose single quotes terminate at the first apostrophe in a ranking string and abort the engine run with unmatched " on Codex. The quoted <<'PLAN_EOF' heredoc is already apostrophe-safe; the -lc wrapper was the hazard.
• Firefox profile detection on Linux now checks $XDG_CONFIG_HOME/mozilla/firefox (or its default ~/.config/mozilla/firefox) in addition to ~/.mozilla/firefox, fixing cookie extraction on distros that honour the XDG Base Directory Specification (#667)