fix: Commit embedded formulas for go install @latest (#117)

* fix: Commit embedded formulas for go install @latest

The internal/formula/formulas/ directory was gitignored, causing
`go install github.com/steveyegge/gastown/cmd/gt@latest` to fail with:

  pattern formulas/*.formula.json: no matching files found

The go:embed directive requires these files at build time, but
go install @latest doesn't run go:generate. By committing the
generated formulas, users can install directly without cloning.

Maintainers should run `go generate ./...` after modifying
.beads/formulas/ to keep the embedded copy in sync.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* ci: Add check for committed embedded formulas

Adds a new CI job that:
1. Builds without running go:generate (catches missing formulas)
2. Verifies committed formulas match .beads/formulas/ source

Also removes redundant go:generate steps from other jobs since
formulas are now committed.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore: exclude towers-of-hanoi test formulas from embed

These are durability stress test fixtures (pre-computed move sequences),
not production formulas users need. Excluding them reduces embedded
content by ~10K lines.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: gus <steve.yegge@gmail.com>

internal/formula/formulas/security-audit.formula.toml

@@ -0,0 +1,38 @@
+description = "Cross-cutting security concern. Applies security scanning before and after implementation steps."
+formula = "security-audit"
+type = "aspect"
+version = 1
+
+[[advice]]
+target = "implement"
+[advice.around]
+
+[[advice.around.after]]
+description = "Post-implementation security scan. Scan new code for vulnerabilities (SAST). Check for hardcoded secrets. Review for OWASP Top 10 issues."
+id = "{step.id}-security-postscan"
+title = "Security postscan for {step.id}"
+
+[[advice.around.before]]
+description = "Pre-implementation security check. Review for secrets/credentials in scope. Check dependencies for known vulnerabilities."
+id = "{step.id}-security-prescan"
+title = "Security prescan for {step.id}"
+
+[[advice]]
+target = "submit"
+[advice.around]
+
+[[advice.around.after]]
+description = "Post-submission security verification. Confirm no new vulnerabilities introduced."
+id = "{step.id}-security-postscan"
+title = "Security postscan for {step.id}"
+
+[[advice.around.before]]
+description = "Pre-submission security check. Final vulnerability scan before merge."
+id = "{step.id}-security-prescan"
+title = "Security prescan for {step.id}"
+
+[[pointcuts]]
+glob = "implement"
+
+[[pointcuts]]
+glob = "submit"