feat(runtime): dlp-gen — generate DLP test corpora + dlp-test-files skill

[cdot65]

Summary

Adds airs runtime dlp-gen, a local generator for DLP test corpora, plus a companion dlp-test-files skill (the repo's first skill).

• Generates clean carrier files and dirty copies with synthetic sensitive data embedded via multiple techniques per format.
• Formats: PDF, PNG, JPEG, SVG, DOCX. 15 techniques total (3 each):
  • PDF: meta, hidden-text, trailer
  • PNG: text-chunks, trailer, stego-lsb
  • JPEG: exif, com, trailer
  • SVG: meta, hidden-text, comment
  • DOCX: core-props, hidden-run, visible
• Writes <out>/clean/, <out>/dirty/, and manifest.json (dirty file → technique + embedded values) for scanner scoring.
• Randomized synthetic payloads (reserved-range SSNs, Luhn-valid test PANs, example.com emails, AWS …EXAMPLE keys, …); --seed for reproducibility. No real PII.

Architecture

• Framework-free, unit-tested core under src/dlp/ (rng, payload, lorem, manifest, generators, embedders, orchestrator).
• Thin Commander wiring in src/cli/commands/dlp-gen.ts, registered under the runtime group.
• New deps: pdf-lib, docx, sharp, piexifjs.

Tests / gates

• 50+ new unit tests under tests/unit/dlp/ (each embedder verified via a real extractor: PNG chunk/LSB decode, EXIF read, PDF stream inflate + hex decode, docx unzip, etc.).
• Full suite: 562 tests pass; coverage 93.13% lines / 88.11% branches / 99.61% functions (above thresholds). tsc --noEmit clean; mkdocs build clean.

Docs

• docs/runtime/dlp-gen.md (+ nav), AGENTS.md entry, changeset (minor).

Test plan

• pnpm test:coverage, pnpm tsc --noEmit, mkdocs build all green locally
• CLI smoke: airs runtime dlp-gen --types all --seed 1 → 5 clean + 15 dirty + manifest
• Run dirty files through a scanner and reconcile against manifest.json