feat: v1.0.0 production readiness

[dhaveed]

Summary

Prepares diffr for its first public release and GitHub Marketplace listing.

Security & Robustness

• LLM prompt sanitization with explicit distrust framing in system prompt
• 60s request timeouts for Anthropic and OpenAI clients
• Debug logging for previously silent catch blocks in GitHubClient
• Unhandled promise rejection fix at action entry point
• Default branch read from GitHub context instead of hardcoded 'main'
• HTML stripping for PR bodies at ingestion to reduce noise and token waste

Versioning & Correctness

• Conventional commit-aware version bumping (feat! → major, feat → minor, else → patch)
• Duplicate compare link removed from fallback generator (orchestrator handles it)
• Non-null assertions replaced with safe access patterns
• Author field split into github_username / commit_author_name for LLM payload clarity
• PR URL included in LLM payload for accurate link generation
• Importance-aware truncation (breaking > feat > fix > internal) with chronological order preserved

LLM Prompt Hardening

• System prompt explicitly marks all input as untrusted source material
• Classification precedence rules (Breaking > Features > Bug Fixes > Improvements > Internal)
• Anti-duplication guidance for overlapping commit/PR descriptions
• Conservative token estimation (3.3 chars/token + 10% safety margin)

Infrastructure

• GitHub API rate limit detection (warns at ≤10 remaining) and Retry-After header support
• Dogfood workflow validates outputs (semver format, tag prefix, dry-run flag, non-empty notes)
• Production release workflow triggered by v* tags with floating major tag update
• LICENSE (MIT), SECURITY.md, CHANGELOG.md, .env.example
• Version bumped to 1.0.0

Test plan

• pnpm typecheck passes
• pnpm lint passes
• pnpm test — 166/166 tests passing
• pnpm build — dist rebuilt
• Merge to main, verify CI passes
• Tag v1.0.0, verify release workflow creates GitHub Release
• Publish to GitHub Marketplace