refactor: extract skills from commands across 8 plugins

Refactored commands to extract reusable skills following the
Commands → Skills separation pattern. Each command is now <50 lines
and references skill files for detailed knowledge.

Plugins refactored:
- claude-config-maintainer: 5 commands → 7 skills
- code-sentinel: 3 commands → 2 skills
- contract-validator: 5 commands → 6 skills
- data-platform: 10 commands → 6 skills
- doc-guardian: 5 commands → 6 skills (replaced nested dir)
- git-flow: 8 commands → 7 skills

Skills contain: workflows, validation rules, conventions,
reference data, tool documentation

Commands now contain: YAML frontmatter, agent assignment,
skills list, brief workflow steps, parameters

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

plugins/code-sentinel/commands/security-scan.md

@@ -8,61 +8,34 @@ Comprehensive security audit of the project.
 
 ## Visual Output
 
-When executing this command, display the plugin header:
-
 ```
-┌──────────────────────────────────────────────────────────────────┐
-│  🔒 CODE-SENTINEL · Security Scan                                │
-└──────────────────────────────────────────────────────────────────┘
++----------------------------------------------------------------------+
+|  CODE-SENTINEL - Security Scan                                       |
++----------------------------------------------------------------------+
 ```
 
-Then proceed with the scan workflow.
+## Skills to Load
+
+- skills/security-patterns/SKILL.md
 
 ## Process
 
-1. **File Discovery**
-   Scan all code files: .py, .js, .ts, .jsx, .tsx, .go, .rs, .java, .rb, .php, .sh
+1. **File Discovery** - Scan: .py, .js, .ts, .jsx, .tsx, .go, .rs, .java, .rb, .php, .sh
+2. **Pattern Detection** - Apply patterns from skill (Critical/High/Medium severity)
+3. **Report** - Group by severity, include code snippets and fixes
 
-2. **Pattern Detection**
+## Output Format
 
-   ### Critical Vulnerabilities
-   | Pattern | Risk | Detection |
-   |---------|------|-----------|
-   | SQL Injection | High | String concat in SQL queries |
-   | Command Injection | High | shell=True, os.system with vars |
-   | XSS | High | innerHTML with user input |
-   | Code Injection | Critical | eval/exec with external input |
-   | Deserialization | Critical | pickle.loads, yaml.load unsafe |
-   | Path Traversal | High | File ops without sanitization |
-   | Hardcoded Secrets | High | API keys, passwords in code |
-   | SSRF | Medium | URL from user input in requests |
-
-   ### Code Quality Issues
-   | Pattern | Risk | Detection |
-   |---------|------|-----------|
-   | Broad Exceptions | Low | `except:` or `except Exception:` |
-   | Debug Statements | Low | print/console.log with data |
-   | TODO/FIXME Security | Medium | Comments mentioning security |
-   | Deprecated Functions | Medium | Known insecure functions |
-
-3. **Output Format**
 ```
 ## Security Scan Report
 
 ### Critical (Immediate Action Required)
-🔴 src/db.py:45 - SQL Injection
-   Code: `f"SELECT * FROM users WHERE id = {user_id}"`
-   Fix: Use parameterized query: `cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))`
+[red] file:line - Vulnerability Type
+   Code: `problematic code`
+   Fix: Recommended solution
 
-### High
-🟠 config.py:12 - Hardcoded Secret
-   Code: `API_KEY = "sk-1234..."`
-   Fix: Use environment variable: `API_KEY = os.environ.get("API_KEY")`
-
-### Medium
-🟡 utils.py:78 - Broad Exception
-   Code: `except:`
-   Fix: Catch specific exceptions
+### High / Medium / Low
+[Similar format]
 
 ### Summary
 - Critical: X (must fix before deploy)
@@ -70,7 +43,8 @@ Then proceed with the scan workflow.
 - Medium: X (improve when possible)
 ```
 
-4. **Exit Code Guidance**
-   - Critical findings: Recommend blocking merge/deploy
-   - High findings: Recommend fixing before release
-   - Medium/Low: Informational
+## Exit Guidance
+
+- Critical findings: Block merge/deploy
+- High findings: Fix before release
+- Medium/Low: Informational