[CI] Add repo-native validation for deploy, cron, and shell changes (#289)

**Fixes pre-existing syntax errors caught by the new validation:**
- bin/quality-gate.py: unterminated f-string literal (line 216)
- scripts/quality_gate_integration.py: unterminated string literal (lines 58, 144)
- scripts/cron_audit.py: unterminated string literal (line 176)
- scripts/token-tracker.py: global DB_PATH declared after use (line 177)

**New CI pipeline proof tests:**
- tests/test_ci_validation.py: 14 tests proving the pipeline catches broken
  shell (bash -n), Python (py_compile), JSON, YAML, and cron files before
  they reach main. Includes both positive (valid files pass) and negative
  (broken files fail) fixtures.

**Workflow enhancements (.gitea/workflows/validate-config.yaml):**
- Added explicit  syntax check for all shell scripts
- Added  schema validation (required keys: jobs, name, schedule)
- Added  job running the proof test suite
- Made shellcheck non-fatal () since bash -n is the baseline gate

**Documentation:**
- README.md: new 'CI Validation' section documenting what is checked,
  how to run tests locally, and linking to the workflow files

Closes #289

scripts/token-tracker.py

@@ -172,9 +172,9 @@ def main():
     parser.add_argument("--summary", action="store_true")
     parser.add_argument("--log", nargs=3, metavar=("PIPELINE", "WORKER", "TOKENS"))
     parser.add_argument("--budget", nargs=2, metavar=("PIPELINE", "TARGET"))
+    global DB_PATH
     parser.add_argument("--db", type=str, default=str(DB_PATH))
     args = parser.parse_args()
-    global DB_PATH
     DB_PATH = Path(args.db)
     conn = get_db()
     if args.log: