Add dependency advisory graph skill

[RYDE-PLAY]

Adds the dependency-advisory-graph runx skill.

This skill scans a committed npm package-lock.json, queries OSV with exact package/version tuples only, and emits a typed advisory graph packet. It is read-only: it does not install target packages, execute target code, mutate repositories, or report package-name-only advisory matches.

Validation included in this PR:

• X.yaml defines three harness cases: an advisory-positive OWASP NodeGoat lockfile pinned to commit c5cb68a7084e4ae7dcc60e6a98768720a81841e8, a clean lockfile fixture with no findings, and an intentional missing-lockfile stop case.
• run.mjs emits dependency.advisory.graph.result.v1, typed_findings, and an advisory_graph with affected_by_exact_version edges.
• The runner uses Node's built-in https module instead of fetch, so hosted runtimes without global fetch still execute the network cases.
• harness/local-case-runs.json records local direct case evidence using runx-cli 0.6.13.
• The NodeGoat fixture found 13 exact-version OSV findings across 6 direct production packages.
• The clean fixture returned zero findings, zero typed findings, and zero graph edges.
• The missing-lockfile stop case fails closed instead of fabricating an advisory graph.
• The generated report includes a graph receipt note; this skill builds the graph directly rather than composing another graph skill.