fix(docs/ci): remove fork requirement from README; replace CodeQL with shell-aware SAST

[soulcodex]

Summary

README fix

• Removes "fork it" from the tagline — the one-line installer and agentic CLI make forking unnecessary
• Renames Manual Install (for forking) → Manual Install and fixes the clone URL to the canonical soulcodex/agentic

CI: CodeQL → SAST replacement

CodeQL was producing "Error when processing the SARIF file" (neutral conclusion) because it was configured with languages: python but this repo contains no Python source. CodeQL doesn't support shell scripts as an analysable language.

Replaced .github/workflows/codeql.yml with .github/workflows/sast.yml — three focused jobs:

Job	Tool	Purpose	GitHub integration
shellcheck	reviewdog/action-shellcheck	Shell-specific linting	PR check annotations
semgrep	semgrep/semgrep (CE, LGPL-2.1)	SAST with auto ruleset	SARIF → GitHub Security tab
trivy	aquasecurity/trivy-action (Apache-2.0)	Secrets + misconfiguration	SARIF → GitHub Security tab

All action versions are pinned to SHAs. Same triggers as the original CodeQL workflow: push/pull_request to main + weekly schedule.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.