feat(marketplace): rebuild as static git-sourced browser in the docs site

[siracusa5]

Summary

Rebuilds the plugin marketplace to collapse two Next.js apps (and two design systems) into one. The marketplace is now real, browsable pages inside the documentation site, generated from git at build time, with trust signals produced by the existing security scanner. The dormant Supabase marketplace app is retired and its schema archived as the seed of future community/team self-service publishing.

This is the foundation chosen deliberately for where the project is today (16 first-party plugins, no community yet): static-from-git needs no infra and never drifts, while a MarketplaceSource abstraction keeps the door open for a dynamic backend later with no UI rewrite.

Changes

• packages/marketplace-data/ (new) — build-time generator: reads marketplace.json + each plugin.json + SKILL.md, runs the @harness-kit/core security scanner, derives trust tiers, emits a typed static JSON. Supports --strict (fails the build on a failed scan). Includes vitest coverage asserting the 16-plugin invariant.
• website/app/marketplace/ — browse page + per-plugin detail pages (generateStaticParams). Client-side search and category/tag/trust filters held in memory (no useSearchParams, so static export stays clean). Detail pages show install command (copy), env requirements, MCP info, a security panel, and inline SKILL.md source.
• MarketplaceSource seam — the browse layer reads through a source abstraction (one StaticSource today); a future remote source merges into the same UI unchanged.
• Trust signals — scanner output baked into the static data, rendered as badges + a permissions/findings panel, documented in a new concepts/trust-signals page.
• Docs search — Fumadocs static index (staticGET route + RootProvider type: 'static'), no backend.
• Rewired SiteNav (Marketplace link), the explore tile, and the homepage DesktopMock to use real plugin data instead of hardcoded lists.
• Retired apps/marketplace/ — deleted the dormant Supabase app; archived its 7 migrations + seed to docs/archive/marketplace-supabase/ (history-preserving move); scrubbed references in SECURITY.md, .gitignore, dependabot.yml, CLAUDE.md, and root package.json.
• CI (deploy-docs.yml) — generates the marketplace data via a filtered root install before the (isolated) website build; paths: broadened so plugin/manifest edits trigger a redeploy. Generated JSON is treated as build output (gitignored).

Test Plan

• Generator unit tests pass (pnpm -F @harness-kit/marketplace-data test — 12/12)
• Generator produces 16 plugins; scanner ran on each; --strict exits 0
• Website builds (static export) — /marketplace, 16 /marketplace/[slug], /api/search, and the trust-signals doc all emit
• Full CI generate→build chain reproduced locally with a frozen lockfile
• Browser-verified dark + light mode: index grid (category pills, trust badges, MCP tags, per-card accents) and a detail page (install copy, MCP line, security panel with real findings, SKILL.md viewer)
• CI checks pass

Notes

• Deferred by design (seams in place, not built): dynamic/community/team publishing, reviews, ratings, install counts, auth. These need a DB + API + moderation and have no users yet; the archived Supabase schema + the MarketplaceSource abstraction make adding them later additive rather than a rewrite.
• Out of scope: a live multi-tool compile() playground — compile() uses node:crypto; making it isomorphic (Web Crypto) is an easy follow-up.
• The website intentionally installs in isolation (its own lockfile, no workspace deps), so it imports the generated JSON directly and mirrors the types locally rather than depending on the generator package.