harden fact discovery contracts

[ncode]

Summary

This PR commits the current hardening pass across Facts discovery, formatting, config, cache, schema, and release validation, plus the follow-up CI fixes from PR validation.

The latest fix keeps the mountpoint contract intact instead of making mountpoints conditional: every real OS needs at least one mount point, and the failures came from code/test issues. Schema conformance now handles escaped dynamic mountpoint keys correctly, parsed mount entries keep mountpoints.*.options present even when the OS reports no options, and the Windows cache test no longer asserts POSIX permission bits on a platform that reports them differently.

Changes

• Harden the public engine/snapshot surface: uninitialized Engine.Discover now returns an error instead of panicking, map key normalization rejects duplicate string forms, and snapshot/structured fact handling is more deterministic.
• Tighten CLI argument validation for query mode, including -- delimiter handling and dash-prefixed option values, and avoid adding an extra newline for YAML facterversion output.
• Improve cache and config correctness: external file facts can cache by source basename, cache writes use temp-file replacement, TTL parsing rejects negative/overflowing durations, and HOCON section parsing ignores section-like text in comments/strings.
• Strengthen structured fact filtering, projection, formatting, JSON conversion, and supported-facts/schema generation around nested values and blocked descendants.
• Harden platform fact collection for disks, DMI, cloud metadata, processors, SELinux, SSH, timezone, uptime, and OS detection edge cases, with focused fixture-based tests.
• Fix schema wildcard matching for escaped dynamic fact keys such as mountpoints./etc/resolv\.conf.size, so dotted mount paths do not get re-split into false missing schema entries.
• Preserve the mountpoints.*.options schema contract for parsed mount entries that have device or filesystem data but no options list by emitting an empty option slice.
• Make the Windows cache-file mode test verify the cache behavior without asserting Unix 0600 permission bits on Windows.
• Update tooling and validation surfaces: Lima Go defaults move to Go 1.26.4, integration workflow creates dist before building and no longer requires a release artifact, release gates cover disks, partitions, and path, and generated local artifacts are ignored.

Validation

• gofmt -w on modified Go files
• go test ./... - 1626 passed in 9 packages
• go vet ./... - no issues found
• go test -race . ./internal/engine ./internal/app - 1502 passed in 3 packages
• make build
• Cross-compile parity with CI: CGO_ENABLED=0 GOOS/GOARCH go build ./... passed for linux, windows, darwin, freebsd, openbsd, netbsd, dragonfly, illumos, and plan9 targets in the workflow matrix
• Docker CI repros: golang:1.26-bookworm and golang:1.26-alpine both passed TestFactsSchemaConformance
• nlab source checks: FreeBSD and DragonFly passed root schema conformance plus the mountpoint-options regression test
• nlab cross-compiled release gates: FreeBSD, DragonFly BSD, OmniOS/illumos, and Windows passed using binaries built from this patch
• nlab Windows regression: cross-compiled internal/engine test binary passed TestWriteCacheFileWritesFinalFileAndRemovesTemp
• Open-Code-Review: reviewed the production-code diff and reported no comments