feat: build system hardening — collision detection, validation gates, init path enforcement

5-phase hardening to prevent silent file-layer collisions (the D-Bus
regression class):

Phase 1: lint-config-paths.sh + make lint-config in depends.mk
Phase 2: CollisionTracker in installer (content-hash comparison)
Phase 3: installs manifests in recipe.toml + validate-file-ownership.sh
Phase 4: validate-init-services.sh + make validate in disk.mk
Phase 5: documentation (AGENTS.md, BUILD-SYSTEM-HARDENING-PLAN.md)

Both redbear-mini and redbear-full build and validate clean.
66 declared install paths in base, zero conflicts.

Makefile

@@ -5,7 +5,7 @@ include mk/config.mk
 # Build system dependencies
 include mk/depends.mk
 
-all: $(BUILD)/harddrive.img
+all: lint-config $(BUILD)/harddrive.img
 
 # ── Red Bear OS Build Cache (OBLIGATORY) ─────────────────────────────────
 # Cache sync is a mandatory part of every successful build.
@@ -229,3 +229,5 @@ wireshark: FORCE
 	wireshark $(BUILD)/network.pcap
 packages-sync: ; @bash local/scripts/sync-packages.sh
 packages-list: ; @ls -la Packages/*.pkgar 2>/dev/null | wc -l && echo "pkgar files in Packages/"
+validate-patches:
+	@bash local/scripts/validate-patches.sh