feat: build system hardening — collision detection, validation gates, init path enforcement

5-phase hardening to prevent silent file-layer collisions (the D-Bus
regression class):

Phase 1: lint-config-paths.sh + make lint-config in depends.mk
Phase 2: CollisionTracker in installer (content-hash comparison)
Phase 3: installs manifests in recipe.toml + validate-file-ownership.sh
Phase 4: validate-init-services.sh + make validate in disk.mk
Phase 5: documentation (AGENTS.md, BUILD-SYSTEM-HARDENING-PLAN.md)

Both redbear-mini and redbear-full build and validate clean.
66 declared install paths in base, zero conflicts.

mk/depends.mk

@@ -26,4 +26,8 @@ endif
 endif
 
 endif
+
 endif
+
+lint-config:
+	@scripts/lint-config-paths.sh

mk/disk.mk

@@ -109,3 +109,10 @@ else
 	@$(FUMOUNT) /tmp/redox_installer 2>/dev/null || echo "Warning: failed to unmount /tmp/redox_installer"
 	@echo "\033[1;36;49mFilesystem unmounted\033[0m"
 endif
+
+validate-init: $(BUILD)/harddrive.img
+	@scripts/validate-init-services.sh $(BUILD)/harddrive.img
+
+validate: lint-config validate-init
+	@scripts/validate-file-ownership.sh
+	@echo "\033[1;36;49mBuild validation passed\033[0m"