feat(growth): add trust report and mcp config validator

[JSONbored]

Summary

• adds a generated registry trust report artifact and exposes it through the manifest/feed surfaces
• surfaces trust coverage and improvement queues on the quality page
• adds browser-side validators under the dedicated /validators namespace
• connects the Agent Skill package validator to the canonical skills submission flow
• turns the ecosystem page into a real data-backed update surface
• folds the open Renovate dependency updates into this PR so the dependency queue can be closed out after merge

What changed

• generated /data/registry-trust-report.json with brand, source, checksum, adapter, verification, provenance, and review coverage
• added trust summary links to registry feeds, API docs, quality page, and browse filters
• added /validators plus /validators/mcp-config with safe JSON validation and fixed-snippet/report copy actions
• moved the Agent Skill package validator to /validators/skill-package so /tools remains the third-party tools catalog
• updated the skill validator so valid packages can continue into /submit with canonical skills fields prefilled, open a GitHub issue fallback, or copy the canonical issue body
• updated the skills submission schema/template so package-derived install metadata can flow through the existing review path
• refreshed ecosystem page from registry changelog, trust report, contributors, and active jobs
• added tests for trust report generation, MCP config validation, skill package submission drafts, metadata, sitemap inclusion, and validator routes
• pins GitHub Actions Node usage to 24.15.0
• updates the open package dependency set and regenerates pnpm/Raycast locks from the combined manifests

Why

• starts the next growth wave with maintainable trust signals and high-intent free utilities instead of a larger rewrite
• keeps HeyClaude-owned validators separate from the external /tools catalog
• gives maintainers a generated queue for brand/source/package-quality improvements
• gives users useful MCP and skill submission tooling without uploading secrets, mutating local config, or creating a separate content path
• consolidates dependency PRs chore(deps): pin dependency node to 24.15.0 - autoclosed #298, fix(deps): update non-major dependencies #299, and chore(deps): lock file maintenance #309 into one integration PR

Validation

• pnpm install --frozen-lockfile
• npm ci in integrations/raycast
• pnpm test
• npm run lint in integrations/raycast
• npm run build in integrations/raycast
• pnpm validate:content:strict
• pnpm validate:issue-templates
• pnpm validate:openapi
• pnpm validate:raycast-feed
• pnpm validate:readme
• pnpm type-check
• pnpm build
• pnpm validate:clean
• trunk check --ci --all --no-fix

Notes

• ci(submissions): add stale queue hygiene #318 is merged into main and this PR branch now includes it.
• Release PR chore(release): 1.0.0 #317 should remain held until this PR lands, then be regenerated or refreshed for the actual release cut.
• No production deploys or main merges were performed.