feat(catalog): T4 — catalog trim + proactive-suggestions.json (Phase A.4)

Shortens frontmatter `description:` in every Claude SKILL.md to a single
lead sentence + (gstack) tag. The routing prose ("Use when asked to...",
"Proactively suggest...") and voice triggers move to a "## When to invoke"
body section so they remain discoverable inside the skill. A per-run
registry at scripts/proactive-suggestions.json aggregates the routing/
voice text for all 52 skills so agents can pull guidance on demand
without paying for it in the always-loaded catalog.

Build flag --catalog-mode=full restores v1.44 legacy behavior (full
multi-line descriptions in frontmatter). Default is trim.

splitCatalogDescription() extracts: lead sentence, routing paragraphs,
voice-triggers line, (gstack) tag presence. Short descriptions (<120
chars, already trimmed) are skipped via a guard so re-runs are idempotent.

Measured impact (vs v1.44.1 baseline):
- Catalog tokens (sum of description bytes / 4): 9,319 → 4,045  (-56.6%)
- Total SKILL.md corpus bytes:                   2,915 KB → 2,880 KB (-1.2%)
- Routing prose preserved as in-skill "## When to invoke" sections
- 52 skill entries in scripts/proactive-suggestions.json (on-demand registry)

The corpus drop is small because catalog trim MOVES text from frontmatter
to body, it doesn't delete it. The headline win is the catalog: the
always-loaded system prompt surface drops by more than half.

Test plan:
- bun test test/gen-skill-docs.test.ts: 389 pass, 0 fail
- Manual: ship/SKILL.md frontmatter description is now ONE line ending
  with `(gstack)`; allowed-tools field on next line (YAML well-formed)
- Manual: scripts/proactive-suggestions.json contains 52 entries
- bun run gen:skill-docs --catalog-mode=full restores legacy behavior

53 files changed (52 SKILL.md across hosts + the new proactive-suggestions.json).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cso/SKILL.md

@@ -2,14 +2,7 @@
 name: cso
 preamble-tier: 2
 version: 2.0.0
-description: |
-  Chief Security Officer mode. Infrastructure-first security audit: secrets archaeology,
-  dependency supply chain, CI/CD pipeline security, LLM/AI security, skill supply chain
-  scanning, plus OWASP Top 10, STRIDE threat modeling, and active verification.
-  Two modes: daily (zero-noise, 8/10 confidence gate) and comprehensive (monthly deep
-  scan, 2/10 bar). Trend tracking across audit runs.
-  Use when: "security audit", "threat model", "pentest review", "OWASP", "CSO review". (gstack)
-  Voice triggers (speech-to-text aliases): "see-so", "see so", "security review", "security check", "vulnerability scan", "run security".
+description: Chief Security Officer mode. (gstack)
 allowed-tools:
   - Bash
   - Read
@@ -27,6 +20,18 @@ triggers:
 <!-- AUTO-GENERATED from SKILL.md.tmpl — do not edit directly -->
 <!-- Regenerate: bun run gen:skill-docs -->
 
+
+## When to invoke this skill
+
+Infrastructure-first security audit: secrets archaeology,
+dependency supply chain, CI/CD pipeline security, LLM/AI security, skill supply chain
+scanning, plus OWASP Top 10, STRIDE threat modeling, and active verification.
+Two modes: daily (zero-noise, 8/10 confidence gate) and comprehensive (monthly deep
+scan, 2/10 bar). Trend tracking across audit runs.
+Use when: "security audit", "threat model", "pentest review", "OWASP", "CSO review".
+
+Voice triggers (speech-to-text aliases): "see-so", "see so", "security review", "security check", "vulnerability scan", "run security".
+
 ## Preamble (run first)
 
 ```bash