docs: add security-reviewer entry and fix README layer count

[Soul-Craft]

Summary

• Add missing ### Agent: security-reviewer block to CLAUDE.md Automations section — it was the only agent without a dedicated entry despite being referenced in the Security section and file tree.
• Fix README.md: "defense-in-depth across two layers" → "three layers". The three-layer structure (Swift validation, atomic ops/permissions, plugin-level enforcement) was correctly described below but mislabeled in the intro; CLAUDE.md:99 already said "three layers".

Both items surfaced by the /session-end docs-audit step on a clean main. 5 lines changed, no code touched.

Type of change

• Bug fix
• New feature (species, skill, patch type, etc.)
• Refactoring (no behavior change)
• Documentation
• CI / tooling

Testing checklist

• scripts/test-all.sh — all 6 tiers pass (182/182, 19s) on local macOS at f4c3562's parent
• scripts/test-docs.sh — 17/17 (the tier that would catch structural doc drift)
• scripts/upload-test-results.sh — will run after this PR exists so the Check Run attaches to f4c3562
• If touching UI: scripts/test-visual-smoke.sh — N/A (no UI changes)

If modifying skills, hooks, or agents

Not modifying any — this PR only edits the docs about them. The security-reviewer agent file (agents/security-reviewer.md) already exists; we're just adding its missing Automations-section blurb.

• CLAUDE.md updated
• README.md updated

Scope checklist

• No .build/ or test-results/ committed
• Commit message describes the "why" (drift caught by docs audit, not arbitrary rewording)

Risk

None. Documentation-only. Zero impact on patching, backup/restore, codesign, or any runtime behavior.

[github-actions]

Local tests not yet uploaded

This repository runs macOS-dependent tests locally (not in CI) to keep
GitHub Actions costs down. Before this PR can merge, please:

1. Run the full test suite on your macOS machine:

   scripts/test-all.sh
   

2. Upload the results to GitHub:

   scripts/upload-test-results.sh
   

Results will appear either as a Check Run or a PR comment on this commit.
See CLAUDE.md for more detail on the testing architecture.

[Soul-Craft]

Local Tests (macOS)

182/182 passed — Local Tests (macOS)
Commit: f4c35622a8e6 on claude/amazing-mayer
Duration: 5s
Environment: Darwin 25.4.0 (arm64)
Swift: Apple Swift version 6.3 (swiftlang-6.3.0.123.5 clang-2100.0.123.102)

Tier	Passed	Failed	Duration
Smoke
✅ smoke	13	0	0s
Core
✅ unit	98	0	0s
✅ security	25	0	1s
Real-world
✅ ui	23	0	2s
Full system
✅ snapshots	6	0	0s
Peripheral
✅ docs	17	0	1s
TOTAL	182	0	5s

_{Posted by scripts/upload-test-results.sh — Check Run API unavailable.}