Sync Claude ACP vendor to 0.39.0

[jsgrrchg]

Summary

• Sync vendor/Claude-agent-acp-upstream to upstream @agentclientprotocol/claude-agent-acp v0.39.0.
• Regenerate the vendored dist/ runtime files from the updated source snapshot.
• Update vendor documentation and license notes to remove the temporary emergency runtime bump and document the remaining bounded security delta.
• Replace upstream's local-command metadata stripping regex with a linear scanner.

Security note

The GitHub Advanced Security / CodeQL warning was inherited from upstream @agentclientprotocol/claude-agent-acp v0.39.0. It was not introduced by NeverWrite changes.

Upstream v0.39.0 replaced the previous scanner with a regex for stripping local-command metadata. CodeQL flags that regex as potentially polynomial on uncontrolled input. This PR restores an equivalent linear scanner and adds regression coverage for unterminated and marker-like repeated input.

Impact

This brings the embedded Claude ACP runtime onto the upstream release that includes Claude Agent SDK 0.3.156, while avoiding the upstream regex pattern that triggered the security alert. The runtime staged for Electron was refreshed after the fix.

Validation

• npm install in vendor/Claude-agent-acp-upstream
• npm run build in vendor/Claude-agent-acp-upstream
• npm run test:run in vendor/Claude-agent-acp-upstream — 301 passed, 13 skipped
• npm run check in vendor/Claude-agent-acp-upstream
• git diff --check
• Confirmed the flagged regex pattern is absent from vendored src, generated dist, and the staged Electron runtime
• Staged the Electron sidecar runtime with npm run electron:sidecar:stage -- --skip-build and verified the staged Claude ACP is 0.39.0 with SDK 0.3.156

[jsgrrchg]

agentclientprotocol/claude-agent-acp#729 Upstream PR fixing this issue