feat(audit): add stability audit mode with active-skill filtering

[aworki]

What

Add an optional stability audit mode to scripts/audit.py that detects A→D churn in skills/* from git history.

Why

Daily evolution reports can miss real change signals or over-report removed skills. This PR adds a deterministic pre-check that:

• finds churn candidates from recent commits
• filters to currently active skills by default
• keeps --include-deleted for explicit historical analysis

How

• Add --stability-audit mode with options: --repo, --days, --top, --report-file, --include-deleted
• Parse git history (git log --name-status) to compute A/D churn candidates
• Filter candidates against current skills/ directories by default
• Output machine-readable JSON with:
  • churn_candidates_total
  • churn_candidates
  • filtered_out_removed
  • top evidence (recent add/delete commits)
• Keep existing security audit behavior unchanged when --stability-audit is not set

Validation

• python3 scripts/audit.py --help
• python3 scripts/audit.py --stability-audit --repo . --days 30 --top 1
• python3 -m py_compile scripts/audit.py

If preferred, I can also add a short README snippet showing recommended daily usage.

[aworki]

补充说明：\n\n这个改动主要是为了提高日报结论的稳定性与可操作性，避免把已下线 skill 反复报成主问题。\n\n兼容性方面：\n- 不传 时，原有安全审计逻辑完全不变；\n- 是新增可选模式；\n- 默认 active-only，但保留 供历史回溯分析使用。\n\n如果你认可，我可以再补一段 README 的日常用法示例（daily stability gate）。

[aworki]

更正一版（避免格式歧义）：

这个改动主要是为了提高日报结论的稳定性与可操作性，避免把已下线 skill 反复报成主问题。

兼容性：

• 不传 --stability-audit 时，原有安全审计逻辑保持不变；
• --stability-audit 是新增可选模式；
• 默认 active-only，但保留 --include-deleted 供历史回溯分析使用。

如果你认可，我可以再补一段 README 的 daily stability gate 用法示例。

[aworki]

Hi! Just checking in on this PR.

It has been open for a bit without maintainer feedback, so I wanted to confirm whether this audit-mode direction still fits the project's roadmap. If the scope should be adjusted, narrowed, or closed out, I'm happy to follow your preference.

Thanks!