feat(ci): add toolchain version probe and improve breach monitor accuracy

[DimaBir]

Summary

• Adds weekly toolchain version probe workflow that installs MSDO tools and records exact resolved versions into .github/toolchain-versions.json
• Breach monitor now reads pinned versions from that file instead of querying registries — catches the case where MSDO .gdntool configs pin tools to specific versions
• Fixes breach monitor gaps found after first run: adds python/dotnet ecosystems (PyPI was blocked), queries all 4 advisory ecosystems (pip, go, npm, nuget), extends recency window from 48h to 7 days with ongoing-always-flag rule, adds repo archival check for Terrascan-style unmaintained tools, strengthens duplicate detection to cover recently-closed issues

Key design decisions

• Probe uses continue-on-error: true — tool installation is the side effect we want, scan result doesn't matter
• Install dirs follow {PackageName}.{version} pattern (confirmed from DotNetToolClient.cs:244) — parsed by regex, not brittle string splitting
• raw_dirs field in JSON preserved so first real run reveals exact package names for any unmapped tools
• Probe commits with [skip ci] to avoid triggering itself
• Breach monitor falls back to registry queries if toolchain-versions.json is missing or older than 14 days

Files

File	Purpose
.github/workflows/toolchain-version-probe.yml	Weekly probe — runs MSDO, scrapes .gdn/i/ install dirs, commits versions
.github/workflows/msdo-breach-monitor.md	Updated Step 0 reads pinned versions; fixed ecosystems, recency, duplicate check
.github/workflows/msdo-breach-monitor.lock.yml	Recompiled

Test plan

• Trigger probe manually after merge: gh workflow run toolchain-version-probe.yml
• Verify .github/toolchain-versions.json committed with correct versions
• Check raw_dirs to confirm PKG_TO_TOOL mapping covers all installed packages
• Trigger breach monitor and verify it reads from toolchain-versions.json in Step 0