fix: validate version bump + real /health + tests for version/health/rollback

[heznpc]

Fixes all quality-audit findings, each verified failing on origin/main first.

CRITICAL — scripts/bump-version.js

• Validates VERSION against /^\d+\.\d+\.\d+$/ AND each component Number.isInteger (>= 0) BEFORE writing.
• On malformed/short/suffixed input prints to stderr and process.exit(1) — never writes 1.2.NaN / NaN.undefined.NaN, never exits 0 on corrupt input.
• Logic factored into exported parseVersion / bump so tests drive the real code.
• Before: 1.2.3-beta → wrote 1.2.NaN, exit 0. 1.2 → silently wrote 1.3.0.

MAJOR — app/server.js

• /health now backed by a list of async readiness checks: all pass → 200 {"status":"ok"}; any falsy/throw → 503 {"status":"unavailable"}. It can now express failure (real readiness signal: listener must be bound; users wire real dependency probes via createApp({ readinessChecks })).
• Unknown paths return 404 instead of 200-for-everything.
• README (en + ko) + AGENTS.md document that users MUST wire real dependency checks; fail-closed rationale recorded.

TESTS (node:test, run via npm test)

• tests/bump-version.test.js — table-driven patch/minor/major increments, file-rewrite on success, and loud failure (exit 1, stderr, file untouched, no NaN) on malformed VERSION. Spawns the real CLI.
• tests/server.test.js — starts the real server: /health → 200, / → 200, unknown → 404, and /health → 503 when an injected readiness check fails/throws.
• tests/rollback-integration.sh — scenario 3 now asserts docker-compose.failed.yml exists, docker-compose.yml is gone, and nothing is left running. New scenario 4 (both images unhealthy) asserts the system is fully quiesced.
• scripts/deploy-with-rollback.sh — both terminal-failure branches now docker compose down BEFORE moving the compose aside, so a failed deploy no longer leaks an unhealthy container (the new shell assertions require this).
• Wired a node-tests job into ci.yml so the JS suite gates merges.

Verification

• npm test: 17/17 pass.
• Mutation-checked non-tautological: reverting bump-version → 5 failures; reverting server.js → 3 failures.
• bash -n + shellcheck clean on both shell scripts; docker compose config validates. The rollback integration test runs in CI (no local Docker daemon).