v5.8.8 — CodeQL TOCTOU data-flow fix + SkillSpector NLP guard

CodeQL 169–171 — CWE-367 TOCTOU data-flow break ( est-phase11.ts): openSync(lockPath/tmpPath, 'w') write blocks still triggered js/file-system-race because CodeQL traced the same variables from earlier existsSync asserti

What's Changed

Fixed

• CodeQL #169–#171 — CWE-367 TOCTOU data-flow break ( est-phase11.ts): openSync(lockPath/tmpPath, 'w') write blocks still triggered js/file-system-race because CodeQL traced the same variables from earlier existsSync assertions. Fixed #169–#170 by replacing existsSync(lockPath) assertions with lock.getStatus().locked (breaks the taint chain at the check side). Fixed #171 by switching the .tmp orphan-simulation write to O_CREAT|O_EXCL|O_WRONLY — atomic-create is the CodeQL-recommended pattern and correct here since the file must not already exist.
• CodeQL #172 — unused writeFileSync import ( est-phase11.ts): All three path-based writes were replaced with fd operations in v5.8.7; the now-unused import is removed. constants and unlinkSync added in its place.
• SkillSpector Natural-Language Policy Violations (71%) (claude-project-prompt.md): "DECOMPOSE every complex request into exactly 3 sub-tasks" was unconditional, forcing sub-agent orchestration for all requests. Added a scope guard so the decomposition protocol only applies to genuinely complex, multi-domain requests.
• Test noise — red stderr warnings: NETWORK_AI_MINIMAL=1 now scoped to estAtomicSnapshot/ estPriorityEviction only (set on entry, deleted in inally), silencing expected disableWal warnings without affecting Feature 2's real WAL replay coverage.

Full Changelog: https://github.com/Jovancoding/Network-AI/compare/v5.8.7...v5.8.8