Address agentd open issue backlog

[haasonsaas]

Summary

• harden capture privacy/security paths: scrub window titles and document paths, enforce secure/authenticated remote submit, bound local batch retention, and expand secret patterns
• improve capture performance and correctness: bounded backpressure, adaptive idle FPS, preserved stream configuration, pHash dedup window, OCR truncation, and cheap frame byte estimates
• add CI, BUSL SPDX headers, SECURITY/PRIVACY/licensing docs, and focused regression coverage for the open issue queue

Testing

• xcrun swift-format lint --strict --recursive Sources Tests Package.swift
• swift build -Xswiftc -warnings-as-errors
• swift test
• git diff --check

Closes #3
Closes #4
Closes #5
Closes #6
Closes #7
Closes #8
Closes #9
Closes #10
Closes #11
Closes #12
Closes #13
Closes #14
Closes #15
Closes #16
Closes #17
Closes #18
Closes #19
Closes #20

[cursor]

PR Summary

High Risk
Touches security- and privacy-critical code paths (secret detection, captured metadata handling, transport/auth enforcement, and local persistence retention). Also changes capture scheduling/backpressure, which can alter data volume and drop behavior in production.

Overview
This PR significantly hardens agentd’s capture-to-submit pipeline: frames are now secret-scanned across OCR text, window titles, and document paths, OCR text is capped with an ocrTextTruncated flag, and near-duplicate detection uses a small ring-buffer DedupWindow instead of only comparing against the immediately previous frame.

Remote submission is tightened by adding configurable auth (AuthMode with bearer token or mTLS via Keychain), enforcing an endpoint policy (HTTPS or loopback-only HTTP), and adding bounded local fallback retention (age/byte-budget sweeps). Capture is also made more robust with bounded backpressure buffering (droppable AsyncStream + drop accounting) and adaptive FPS that lowers capture rate when the user is idle.

Repo hygiene is improved with a macOS Swift 6 GitHub Actions CI workflow (build/test/swift-format lint), BUSL SPDX headers, and new SECURITY.md, PRIVACY.md, and LICENSING.md docs, plus expanded regression tests for the new privacy/security and submitter behaviors.

^{Reviewed by Cursor Bugbot for commit 66dd7f4. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit 66dd7f4. Configure here.}