Security audit fixes:
- The jobs gated on github.event_name == 'pull_request' but the trigger is
pull_request_target, so they never ran (validation was silently disabled).
Gate on 'pull_request_target'.
- Replace the loop-until-stable HTML-comment strip with a single linear pass
(+ trailing-unterminated strip): still leaves no <!-- (CodeQL-clean) but
removes the quadratic re-scan a crafted nested-comment body could abuse.
New .github/workflows/pr-validation.yml (pull_request_target, like seerr, so it
works on fork PRs without checking out fork code): moves the Conventional-Commits
title check out of the quality gate and adds a PR template check
(scripts/check-pr-template.mjs) — Description/Ticket/Testing filled, contribution
+ AI-disclosure boxes ticked (maintainers bypass AI), and Screenshots required
when the PR changes UI (.tsx under app/ or components/). Posts a sticky comment +
'blocked: template' label on failure, clears on success; skips bots + synchronize.
Robust comment stripping (CodeQL-safe). Inspired by seerr's pr-validation.
