This PR upgrades the AI security audit skill to V2 architecture, based on upstream pashov/skills V2 changes adapted for Rust/Substrate.

What changed

• Renamed security_audit → hydration_cl0wdit

• Change vibes from whitehat to blackhat

• 10 specialized agents (up from 5) — all run by default, no --deep flag, no model overrides:

  • 4 vector-scan agents (hydration-specific + 3 generic substrate attack vector sets)
  • Math precision — arithmetic, saturating_sub, rounding, type conversions
  • Access control — origin checks, proxy bypass, XCM origin confusion
  • Economic security — token behaviors, oracle manipulation, weight underpricing
  • Execution trace — hooks, cross-pallet calls, TOCTOU, XCM flow
  • Invariant — conservation laws, pool math, state couplings
  • First principles — assumption violation, unnamed bug classes
  • Test & benchmark coverage gaps

• 4-gate finding validation (replaces 3-check FP gate): Refutation → Reachability → Trigger → Impact

• FINDING/LEAD distinction — partial findings reported as Leads for manual review instead of being dropped. Structured output with group_key for deduplication and mandatory proof: field.

• Improved dedup — composite chain detection, multi-agent convergence promotion, single-pass gate evaluation protocol.

• Version check — VERSION file + remote check on startup.

• Report includes skill version in the Scope table.