core/host: shared host fingerprint refactor

Adds core/host.{h,c} — a single struct skeletonkey_host populated once
at startup and handed to every module callback via ctx->host. Replaces
the per-detect uname / /etc/os-release / sysctl / userns-fork-probe
calls scattered across the corpus with O(1) cached lookups, and gives
the dispatcher one consistent view of the host.

What's in the fingerprint:

- Identity: kernel_version (parsed from uname.release), arch (machine),
  nodename, distro_id / distro_version_id / distro_pretty (parsed once
  from /etc/os-release).
- Process state: euid, real_uid (defeats userns illusion via
  /proc/self/uid_map), egid, username, is_root, is_ssh_session.
- Platform family: is_linux, is_debian_family, is_rpm_family,
  is_arch_family, is_suse_family (file-existence checks once).
- Capability gates (Linux): unprivileged_userns_allowed (live
  fork+unshare probe), apparmor_restrict_userns,
  unprivileged_bpf_disabled, kpti_enabled, kernel_lockdown_active,
  selinux_enforcing, yama_ptrace_restricted.
- System services: has_systemd, has_dbus_system.

Wiring:

- core/module.h forward-declares struct skeletonkey_host and adds the
  pointer to skeletonkey_ctx. Modules opt-in by including
  ../../core/host.h.
- core/host.c is fully POD (no heap pointers) — uses a single file-
  static instance, returns a stable pointer on every call. Lazily
  populated on first skeletonkey_host_get().
- skeletonkey.c calls skeletonkey_host_get() at main() entry, stores
  in ctx.host before any register_*() runs.
- cmd_auto's bespoke distro-fingerprint code (was an inline
  read_os_release helper) is replaced with skeletonkey_host_print_banner(),
  which emits a two-line banner of identity + capability gates.

Migrations:

- dirtydecrypt: kernel_version_current() -> ctx->host->kernel.
- fragnesia: removed local fg_userns_allowed() fork-probe in favour of
  ctx->host->unprivileged_userns_allowed (no per-scan fork). Also
  pulls kernel from ctx->host. The PRECOND_FAIL message now notes
  whether AppArmor restriction is on.
- pack2theroot: access('/etc/debian_version') -> ctx->host->is_debian_family;
  also short-circuits when ctx->host->has_dbus_system is false (saves
  the GLib g_bus_get_sync attempt on systems without system D-Bus).
- overlayfs: replaced the inline is_ubuntu() /etc/os-release parser
  with ctx->host->distro_id comparison. Local helper preserved for
  symmetry / standalone builds.

Documentation: docs/ARCHITECTURE.md gains a 'Host fingerprint'
section describing the struct, the opt-in include pattern, and
example detect() usage. ROADMAP --auto accuracy log notes the
landing and flags remaining modules as an incremental follow-up.

Build verification:

- macOS (local): make clean && make -> Mach-O x86_64, 31 modules,
  banner prints with distro=?/? (no /etc/os-release).
- Linux (docker gcc:latest + libglib2.0-dev): make clean && make ->
  ELF 64-bit, 31 modules. Banner prints with kernel + distro=debian/13
  + 7 capability gates. dirtydecrypt correctly says 'predates the
  rxgk code added in 7.0'; fragnesia PRECOND_FAILs with
  '(host fingerprint)' annotation; pack2theroot PRECOND_FAILs on
  no-DBus; overlayfs reports 'not Ubuntu (distro=debian)'.

docs/ARCHITECTURE.md

@@ -82,7 +82,11 @@ Code that more than one module needs lives in `core/`:
 
 1. Parse args (`--scan`, `--exploit <name>`, `--mitigate`,
    `--detect-rules`, `--cleanup`, etc.)
-2. Fingerprint the host
+2. **Fingerprint the host** — `core/host.c` is called once at startup
+   to populate `struct skeletonkey_host` (kernel version + arch +
+   distro + capability gates + service presence). The result is
+   handed to every module via `ctx->host`. See "Host fingerprint"
+   below.
 3. For `--scan`: iterate module registry, call each module's
    `detect()`, emit table of results
 4. For `--exploit <name>`: locate module, gate behind `--i-know`,
@@ -90,6 +94,44 @@ Code that more than one module needs lives in `core/`:
 5. For `--detect-rules`: walk module registry, concatenate detection
    files in the requested format
 
+## Host fingerprint (`core/host.{h,c}`)
+
+A single `struct skeletonkey_host` is populated once at startup and
+exposed to every module via `ctx->host` (a stable pointer for the
+process lifetime). It carries:
+
+- **Identity:** `struct kernel_version kernel` + arch + nodename +
+  distro id/version/pretty (parsed from `/etc/os-release`).
+- **Process state:** euid, real_uid (defeats the userns illusion by
+  reading `/proc/self/uid_map`), egid, username, is_root,
+  is_ssh_session.
+- **Platform family:** is_linux, is_debian_family, is_rpm_family,
+  is_arch_family, is_suse_family.
+- **Capability gates (Linux):** unprivileged_userns_allowed (live
+  fork-probe), apparmor_restrict_userns, unprivileged_bpf_disabled,
+  kpti_enabled, kernel_lockdown_active, selinux_enforcing,
+  yama_ptrace_restricted.
+- **System services:** has_systemd, has_dbus_system.
+
+Modules that want to consult the fingerprint do:
+
+```c
+#include "../../core/host.h"
+/* ... */
+if (ctx->host && !ctx->host->unprivileged_userns_allowed)
+    return SKELETONKEY_PRECOND_FAIL;
+if (ctx->host->kernel.major < 7)
+    return SKELETONKEY_OK;   /* predates the bug */
+```
+
+The migration is opt-in per module — modules that don't `#include`
+host.h continue to do their own probes; modules that do save the
+duplicate work and get a consistent view across the whole scan.
+
+`--auto` and `--scan` (in verbose mode) print a two-line banner of
+the fingerprint via `skeletonkey_host_print_banner()` so operators
+can see at a glance which gates are open.
+
 ## CI matrix
 
 `.github/workflows/ci.yml` (planned, Phase 4) runs each module's