fix(audit): correct semverCompare + drift/probe robustness + scaffold finalize safety

[heznpc]

Service-engine quality fixes from the portfolio quality audit (113/113 tests, +13):

audit engine:

• [CRITICAL] semverCompare (audit-helpers.ts): reimplemented to SemVer §11 —
  a release now ranks ABOVE its own prerelease (1.0.0 > 1.0.0-rc.3, was inverted)
  and build metadata is ignored (§10). New tests/audit-helpers.test.ts covers
  release>prerelease, build-metadata equality, numeric-vs-alpha + numeric-field
  prerelease ordering, and the non-semver fallback.
• [MAJOR] audit-cd.ts: each probe body wrapped so one malformed payload (version
  as a JSON number) can't abort the whole multi-destination audit; prerelease-only
  npm packages no longer reported not-found; github-releases tag SemVer-extracted
  (no phantom drift on scoped/monorepo tags); placeholder package/AMO ids reported
  as template-not-configured.
• [MAJOR] audit.ts: count all commits since last tag (not only PR-annotated), so
  rebase-merge repos no longer falsely report READY; issue-close #N refs excluded
  from the PR set.
• [MAJOR] cli.ts: operational/infra failures exit 2 (distinct from result-failure
  exit 1); audit/seed reject unknown flags instead of silently dropping them.

scaffold/download:

• [CRITICAL] scaffold.ts finalize: re-check finalDest is still absent/empty
  IMMEDIATELY before the destructive rm (TOCTOU data-loss); preserve a built
  workDest on rename failure; longest-key-first replacement so substrings aren't
  mangled. Honest comment that the window is not truly atomic.
• [MINOR] download.ts maxRetries<=0 clamped; version.ts warns before the 0.0.0
  sentinel; seed-security-guidance populates matchedStarter in the exists branch.

build + lint clean.