docs: retire repo-mem MCP, migrate skills to .claude/skills, audit fixes

- Delete .mcp.json + .claude/rules/repo-mem.md; drop .repo-mem from .gitignore
- Remove repo-mem / substrate_score / repo_search references from all .md
- Move 15 EVOLV skills from .agents/skills/ to .claude/skills/ so they are
  auto-discovered by the Claude Code harness and invokable via the Skill tool
- Retire .agents/skills/evolv-orchestrator (duplicate of the subagent at
  .claude/agents/evolv-orchestrator.md); orchestrator lives as a subagent only
- Drop OpenAI-format agent yaml metadata from each skill (not needed for CC)
- Update CLAUDE.md, CONTRACTS.md, AGENTS.md to point at the new locations and
  disambiguate skills (.claude/skills/) vs subagents (.claude/agents/)
- Fix CLAUDE.md tick-loop wording (opt-in per-node, not a fixed 1000ms)
- Widen .claude/rules/ paths frontmatter so node-architecture and telemetry
  rules trigger on more relevant files; add frontmatter to flow-layout rule
- Bump CONTRACTS.md review date to 2026-05-19; add step 7 to the contract-
  change workflow (review example flows when topic usage changes)
- Bump nodes/generalFunctions pin (Home.md substrate_score reference removed)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.claude/skills/evolv-ot-it-security/SKILL.md

@@ -0,0 +1,56 @@
+---
+name: evolv-ot-it-security
+description: Perform OT/IT security analysis for EVOLV Node-RED automation systems. Use when reviewing admin endpoints, node input handling, configuration exposure, dependency risk, network/data flow boundaries, and secure-by-default behavior for operational technology integrations.
+---
+
+# EVOLV OT/IT Security
+
+## Mission
+Identify and reduce security risk while preserving operational reliability for process automation workloads.
+
+## Harness Execution Contract
+- Model trust boundaries first (admin HTTP, message ingress, external integrations).
+- Define security invariants before edits:
+  - secure defaults stay secure unless explicitly approved
+  - no sensitive leakage in logs/UI/errors
+  - malformed control inputs are rejected predictably
+- Support findings with reproducible evidence and concrete remediation steps.
+
+## Scope
+- Node-RED admin endpoints in node entry files
+- Input validation across `msg.topic` and payload paths
+- Exposure of sensitive config/secrets in code, logs, or UI
+- Dependency and supply-chain concerns in node packages
+
+## Security Workflow
+1. Enumerate attack surface:
+- HTTP admin routes
+- message ingress topics/payloads
+- external service interfaces
+2. Validate input sanitization and type checks.
+3. Check least-privilege assumptions and secret handling.
+4. Evaluate failure modes for denial-of-service or unsafe operation.
+5. Recommend pragmatic controls with minimal operational friction.
+
+## Control Priorities
+- Reject malformed or unauthorized control messages.
+- Avoid leaking credentials, asset identifiers, or internal topology.
+- Keep defaults safe; require explicit opt-in for risky behavior.
+- Preserve auditability of critical control actions.
+
+## Validation Expectations
+- Add negative tests for malformed inputs and unauthorized paths.
+- Confirm error paths are explicit and non-sensitive.
+- Document residual risk when controls are deferred.
+
+## Deliverables
+Return:
+- findings sorted by severity
+- concrete remediation plan by file
+- tests added for security regressions
+- residual risks and compensating controls
+
+Decision interview triggers:
+- any change that relaxes authentication/authorization checks
+- exposure of new admin routes or integration interfaces
+- security control deferrals that require compensating controls