release v0.7.1: arm64-static binary + per-module arch_support

Two additions on top of v0.7.0:

1. skeletonkey-arm64-static is now published alongside the existing
   x86_64-static binary. Built native-arm64 in Alpine via GitHub's
   ubuntu-24.04-arm runner pool (free for public repos as of 2024).
   install.sh auto-picks it based on 'uname -m'; SKELETONKEY_DYNAMIC=1
   fetches the dynamic build instead. Works on Raspberry Pi 4+, Apple
   Silicon Linux VMs, AWS Graviton, Oracle Ampere, Hetzner ARM, etc.

   .github/workflows/release.yml refactor: the previous single
   build-static-x86_64 job becomes a build-static matrix with two
   entries (x86_64-static on ubuntu-latest, arm64-static on
   ubuntu-24.04-arm). Both share the same Alpine container + build
   recipe.

2. .arch_support field on struct skeletonkey_module — honest per-module
   labeling of which architectures the exploit() body has been verified
   on. Three categories:

     'any' (4 modules): pwnkit, sudo_samedit, sudoedit_editor,
       pack2theroot. Purely userspace; arch-independent.

     'x86_64' (1 module): entrybleed. KPTI prefetchnta side-channel;
       x86-only by physics. Already source-gated (returns
       PRECOND_FAIL on non-x86_64).

     'x86_64+unverified-arm64' (26 modules): kernel exploitation
       code. The bug class is generic but the exploit primitives
       (msg_msg sprays, finisher chain, struct offsets) haven't been
       confirmed on arm64. detect() still works (just reads ctx->host);
       only the --exploit path is in question.

   --list now has an ARCH column (any / x64 / x64?) and the footer
   prints 'N arch-independent (any)'.
   --module-info prints 'arch support: <value>'.
   --scan --json adds 'arch_support' to each module record.

This is the honest 'arm64 works for detection on every module +
exploitation on 4 of them today; the rest await empirical arm64
sweep' framing — not pretending the kernel exploits already work
there, but not blocking the arm64 binary on that either. arm64
users get the full triage workflow + a handful of userspace exploits
out of the box, plus a clear roadmap for the rest.

Future work to promote modules from 'x86_64+unverified-arm64' to
'any': add an arm64 Vagrant box (generic/debian12-arm64 etc.) to
tools/verify-vm/ and run a verification sweep on Apple Silicon /
ARM Linux hardware.

.github/workflows/release.yml

@@ -59,14 +59,28 @@ jobs:
             skeletonkey-${{ matrix.target }}
             skeletonkey-${{ matrix.target }}.sha256
 
-  # Portable static-musl build for x86_64. Runs in Alpine (native
-  # musl + linux-headers) so the resulting binary works on every
-  # libc — glibc 2.x of any version, musl, etc. This is what
-  # install.sh fetches by default (the dynamic binary above hits a
-  # glibc-version ceiling on older distros like Debian 12 / RHEL 8).
-  build-static-x86_64:
-    runs-on: ubuntu-latest
-    name: build (x86_64-static / musl)
+  # Portable static-musl builds. Run in Alpine (native musl +
+  # linux-headers) so the resulting binary works on every libc —
+  # glibc 2.x of any version, musl, etc. This is what install.sh
+  # fetches by default (the dynamic binary above hits a glibc-
+  # version ceiling on older distros like Debian 12 / RHEL 8).
+  #
+  # x86_64-static runs on the regular x86_64 runner pool.
+  # arm64-static runs on GitHub's native ARM Linux runners
+  # (free for public repos as of 2024). Both produce statically-
+  # linked binaries that just need an executable Linux kernel of
+  # the right ABI.
+  build-static:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: x86_64-static
+            runner: ubuntu-latest
+          - target: arm64-static
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
+    name: build (${{ matrix.target }} / musl)
     container:
       image: alpine:latest
     steps:
@@ -88,18 +102,18 @@ jobs:
 
       - name: rename + checksum
         run: |
-          mv skeletonkey skeletonkey-x86_64-static
-          sha256sum skeletonkey-x86_64-static > skeletonkey-x86_64-static.sha256
+          mv skeletonkey skeletonkey-${{ matrix.target }}
+          sha256sum skeletonkey-${{ matrix.target }} > skeletonkey-${{ matrix.target }}.sha256
 
       - uses: actions/upload-artifact@v4
         with:
-          name: skeletonkey-x86_64-static
+          name: skeletonkey-${{ matrix.target }}
           path: |
-            skeletonkey-x86_64-static
-            skeletonkey-x86_64-static.sha256
+            skeletonkey-${{ matrix.target }}
+            skeletonkey-${{ matrix.target }}.sha256
 
   release:
-    needs: [build, build-static-x86_64]
+    needs: [build, build-static]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -154,5 +168,7 @@ jobs:
             skeletonkey-x86_64-static.sha256
             skeletonkey-arm64
             skeletonkey-arm64.sha256
+            skeletonkey-arm64-static
+            skeletonkey-arm64-static.sha256
             install.sh
           fail_on_unmatched_files: false   # install.sh may not exist at first tag