feat: integrate framework files into monorepo under packages/mosaic/framework/

Moves all Mosaic framework runtime files from the separate bootstrap repo
into the monorepo as canonical source. The @mosaic/mosaic npm package now
ships the complete framework — bin scripts, runtime configs, tools, and
templates — enabling standalone installation via npm install.

Structure:
  packages/mosaic/framework/
  ├── bin/          28 CLI scripts (mosaic, mosaic-doctor, mosaic-sync-skills, etc.)
  ├── runtime/      Runtime adapters (claude, codex, opencode, pi, mcp)
  ├── tools/        Shell tooling (git, prdy, orchestrator, quality, etc.)
  ├── templates/    Agent and repo templates
  ├── defaults/     Default identity files (AGENTS.md, STANDARDS.md, SOUL.md, etc.)
  ├── install.sh    Legacy bash installer
  └── remote-install.sh  One-liner remote installer

Key files with Pi support and recent fixes:
- bin/mosaic: launch_pi() with skills-local loop
- bin/mosaic-doctor: --fix auto-wiring for all 4 harnesses
- bin/mosaic-sync-skills: Pi as 4th link target, symlink-aware find
- bin/mosaic-link-runtime-assets: Pi settings.json patching
- bin/mosaic-migrate-local-skills: Pi skill roots, symlink find
- runtime/pi/RUNTIME.md + mosaic-extension.ts

Package ships 251 framework files in the npm tarball (278KB compressed).

packages/mosaic/framework/tools/codex/woodpecker/codex-review.yml

@@ -0,0 +1,90 @@
+# Codex AI Review Pipeline for Woodpecker CI
+# Drop this into your repo's .woodpecker/ directory to enable automated
+# code and security reviews on every pull request.
+#
+# Required secrets:
+#   - codex_api_key: OpenAI API key or Codex-compatible key
+#
+# Optional secrets:
+#   - gitea_token: Gitea API token for posting PR comments (if not using tea CLI auth)
+
+when:
+  event: pull_request
+
+variables:
+  - &node_image 'node:22-slim'
+  - &install_codex 'npm i -g @openai/codex'
+
+steps:
+  # --- Code Quality Review ---
+  code-review:
+    image: *node_image
+    environment:
+      CODEX_API_KEY:
+        from_secret: codex_api_key
+    commands:
+      - *install_codex
+      - apt-get update -qq && apt-get install -y -qq jq git > /dev/null 2>&1
+
+      # Generate the diff
+      - git fetch origin ${CI_COMMIT_TARGET_BRANCH:-main}
+      - DIFF=$(git diff origin/${CI_COMMIT_TARGET_BRANCH:-main}...HEAD)
+
+      # Run code review with structured output
+      - |
+        codex exec \
+          --sandbox read-only \
+          --output-schema .woodpecker/schemas/code-review-schema.json \
+          -o /tmp/code-review.json \
+          "You are an expert code reviewer. Review the following code changes for correctness, code quality, testing, performance, and documentation issues. Only flag actionable, important issues. Categorize as blocker/should-fix/suggestion. If code looks good, say so.
+
+        Changes:
+        $DIFF"
+
+      # Output summary
+      - echo "=== Code Review Results ==="
+      - jq '.' /tmp/code-review.json
+      - |
+        BLOCKERS=$(jq '.stats.blockers // 0' /tmp/code-review.json)
+        if [ "$BLOCKERS" -gt 0 ]; then
+          echo "FAIL: $BLOCKERS blocker(s) found"
+          exit 1
+        fi
+        echo "PASS: No blockers found"
+
+  # --- Security Review ---
+  security-review:
+    image: *node_image
+    environment:
+      CODEX_API_KEY:
+        from_secret: codex_api_key
+    commands:
+      - *install_codex
+      - apt-get update -qq && apt-get install -y -qq jq git > /dev/null 2>&1
+
+      # Generate the diff
+      - git fetch origin ${CI_COMMIT_TARGET_BRANCH:-main}
+      - DIFF=$(git diff origin/${CI_COMMIT_TARGET_BRANCH:-main}...HEAD)
+
+      # Run security review with structured output
+      - |
+        codex exec \
+          --sandbox read-only \
+          --output-schema .woodpecker/schemas/security-review-schema.json \
+          -o /tmp/security-review.json \
+          "You are an expert application security engineer. Review the following code changes for security vulnerabilities including OWASP Top 10, hardcoded secrets, injection flaws, auth/authz gaps, XSS, CSRF, SSRF, path traversal, and supply chain risks. Include CWE IDs and remediation steps. Only flag real security issues, not code quality.
+
+        Changes:
+        $DIFF"
+
+      # Output summary
+      - echo "=== Security Review Results ==="
+      - jq '.' /tmp/security-review.json
+      - |
+        CRITICAL=$(jq '.stats.critical // 0' /tmp/security-review.json)
+        HIGH=$(jq '.stats.high // 0' /tmp/security-review.json)
+        if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
+          echo "FAIL: $CRITICAL critical, $HIGH high severity finding(s)"
+          exit 1
+        fi
+        echo "PASS: No critical or high severity findings"