refactor(core)!: TaskHandle, security hardening, robustness, and test/doc overhaul

[ndizazzo]

Core — Breaking Changes

• Replace fire-and-forget RunTask with TaskHandle pattern
  • New TaskHandle type: Done() <-chan struct{}, Err() error, TaskID() string
  • WaitForAllTasksToComplete(timeout) replaces polling
  • Fix StopTask lock contention (cancel() called outside lock)
• ActionWrapper changed from func type to interface

Core — New Features

• Add duplicate task ID check in AddTask (returns descriptive error)
• Add NewAction[T] constructor with auto-ID generation from name
• Add configurable MaxDecompressedSize (decompression bomb protection)
• Add TypedOutputKey, ActionResultAs, TaskResultAs typed helpers
• Task mutex upgraded to sync.RWMutex for concurrent reads

Security

• Eliminate data races in parameter resolution (RLock all 5 Resolve methods)
• Reject all .. path traversal in file validation
• Use sanitized path for recursive delete
• Validate interface name to prevent path traversal in utility action
• Add argument sentinels (--) for mv/chmod/chown injection defense

File Actions

• Atomic write (temp+rename) in ReplaceLinesAction — prevents data loss on crash
• Configurable directory permissions in ExtractFileAction (default 0o750)
• Prefer native os.Rename/os.Chmod over external commands in move/permissions actions
• Fix TarGz to reject non-gzipped files; check Close() errors in Zip extraction

Docker / System Actions

• Fix Docker Run Action arg ordering (image after user options)
• Migrate all 8 docker+system action files to RunCommandWithContext
• Fix Docker Generic Action cancellation support

Lint

• Re-enable errcheck; fix all 26 violations with proper defer/nolint patterns
• Fix replace_lines_action variable shadowing bug

Tests

• Reorganize root-level test files: each production file now has a matching _test.go
  • New testhelpers_test.go (shared fixtures, package task_engine_test)
  • New parameters_test.go (all parameter/resolve/GlobalContext tests)
  • Deleted orphan catch-all task_engine_test.go and parameters_resolve_test.go
• Add TestHandle* suite (Done, Err, TaskID behavior)
• Add TestAddTaskDuplicateID, validate duplicate action IDs at task level
• Update all 17 RunTask call sites across 5 test files
• Add cancellation, builder-error, typed-helper fallback, manager timeout/reset tests

Docs

• Update README, docs/API.md, docs/QUICKSTART.md, docs/ARCHITECTURE.md to reflect ActionWrapper interface, TaskHandle usage, correct RunTask/AddTask signatures
• Remove stale closure-based action pattern from all examples
• Fix broken backtick fences throughout API.md and ARCHITECTURE.md