…nstraints (#2232, #2233, #2261)

Issue #2232 — cross-session rollout tracking for skill promotion/demotion:
- Add `cross_session_rollout` and `min_sessions_before_promote` config fields
- Add separate `min_sessions_before_demote` (default 1) to prevent symmetric misuse
- Add `distinct_session_count` SQL query on skill_outcomes using existing conversation_id
- Migration 048: composite index on skill_outcomes(skill_name, conversation_id)
- Guard both promotion and demotion in check_trust_transition when enabled

Issue #2233 — skill trust governance and security scanning:
- Add `ScannerConfig` nested under TrustConfig with `injection_patterns` and
  `capability_escalation_check` fields
- Add `check_capability_escalation` in scanner.rs: validates allowed_tools against
  QUARANTINE_DENIED list for Quarantined/Blocked trust levels
- Add `EscalationResult` type and `check_escalations` registry method
- Wire escalation check into bootstrap when capability_escalation_check is enabled
- Add provenance fields `source_url` and `git_hash` to SkillMeta (x-source-url,
  x-git-hash frontmatter keys)
- Migration 047: git_hash column in skill_trust table

Issue #2261 — SkillsBench section cap and domain evaluation gate:
- Add `max_auto_sections` config field (default 3): caps auto-generated skill bodies
  at 3 H2 sections via validate_body_sections()
- Add `domain_success_gate` config field (default false): LLM-based domain relevance
  check before activating auto-generated skill versions
- Add DOMAIN_GATE_PROMPT_TEMPLATE, DomainGateResult type, build_domain_gate_prompt()
- Add section limit instruction to IMPROVEMENT_PROMPT_TEMPLATE

All new config fields wired into --init wizard and auto-migrated via default.toml.
26 new unit tests across zeph-config, zeph-skills, zeph-memory, zeph-core.

Closes #2232, #2233, #2261