ci: silence Annex K noise from clang-tidy

The first clang-tidy run on v0.7.0 reported 193 warnings, all from
one check: clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling.

That check flags snprintf, fprintf, memset, strncpy etc. and
recommends the C11 Annex K _s variants (snprintf_s, memset_s, ...).
Annex K is fundamentally not portable — glibc, musl, and MSVC all
either don't implement it or implement it incompletely. snprintf is
already bounds-checked via its size argument; this check is noise
rather than signal in any real C codebase.

Also pre-emptively disabling bugprone-easily-swappable-parameters
which fires on every small utility function taking 2+ same-typed
params (e.g. skeletonkey_host_kernel_at_least(host, major, minor,
patch)).

Everything else stays on. The next CI run will show whatever real
findings hid under the noise.

.clang-tidy

@@ -0,0 +1,24 @@
+# clang-tidy configuration for SKELETONKEY core/.
+#
+# Defaults are mostly fine. Two checks intentionally disabled:
+#
+#   clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling
+#     This check flags snprintf, fprintf, memset, strncpy, etc. as
+#     "insecure" and recommends the C11 Annex K _s variants
+#     (snprintf_s, memset_s, ...). Annex K is fundamentally not
+#     portable — glibc, musl, and MSVC all either don't implement
+#     it or implement it incompletely. snprintf is already bounds-
+#     checked; this is noise rather than signal in real C code.
+#     The Linux kernel uses these functions everywhere; so does
+#     every C project. Disabling.
+#
+#   bugprone-easily-swappable-parameters
+#     Flags every function taking 2+ same-typed parameters. False-
+#     positive heavy on small utility functions like
+#     skeletonkey_host_kernel_at_least(host, major, minor, patch)
+#     where the parameter order is documented and obvious. Not
+#     worth the noise.
+
+Checks: >
+  -clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,
+  -bugprone-easily-swappable-parameters