chore: add dev ergonomics scripts and release guardrails

[a-essawy]

Summary

Improves DX for agents + devs working across the rendobar/cli ↔ rendobar/rendobar boundary, and adds automated guardrails so releases cannot silently fail.

Dev ergonomics

• `pnpm dev:sdk-local` — pnpm-links `@rendobar/sdk` from `../rendobar/packages/sdk` (configurable via `RENDOBAR_MONOREPO` env). Builds the SDK first, then links globally.
• `pnpm dev:sdk-npm` — restores the npm-published version from package.json.
• Pre-commit guard (`scripts/check-no-linked-sdk.mjs`) — rejects commits while SDK is dev-linked. Distinguishes normal pnpm store symlinks (contain `/.pnpm/`) from dev-link targets.
• AGENTS.md — dev loop, release flow, cross-repo workflow, guardrails table, agent dos/don'ts.

Release guardrails

• Watchdog (`watchdog.yml`, runs every 6h) — scans commits since last `v*` tag. If any are `feat:`/`fix:`/`perf:` and no release-please PR is open, opens an issue. Catches silent skips from non-conventional commits or workflow failures.
• Drift check (`drift-check.yml`, runs daily) — compares `@rendobar/sdk` in package.json vs npm registry latest. Opens an issue when drifted. Backs up Renovate if configured, or stands alone if not.
• Both scripts are idempotent: they check for an existing open issue before opening a new one.
• Branch protection on `main` already live via GH API: requires `test` + `lint` checks, linear history, no force push. No subscription needed — public repos get this free.

Test plan

• `pnpm typecheck` — green
• `pnpm test` — 48/48 passing
• `node scripts/check-no-linked-sdk.mjs` — passes on normal pnpm install
• Watchdog + drift-check scripts validated syntactically (not scheduled-run yet — will fire on schedule)

Notes

• No changes to `cli-binaries.yml` or release flow — they already work end-to-end from the v1.0.0 ship.
• Bypass for pre-commit (emergency only): `git commit --no-verify` or `lefthook run pre-commit --force`.