fix: 9 pre-publish bugs — health URL, npm audit, CodeQL, homepage, UTC, polish

[sagar-grv]

Pre-publication bug fixes — 9 issues resolved

Critical bugs fixed

• Bug 1: Health check was generated for GitHub/GitLab/Bitbucket repo URLs (e.g. package.json homepage pointing to github.com/user/repo#readme). Health check now only generates when deploy URL is a real production site.
• Bug 2: npm audit check used bash-only syntax (2>/dev/null || echo "{}") that silently failed on Windows. Fixed to catch the thrown error and read e.stdout instead.
• Bug 3: CodeQL path filter only watched src/**/*. Projects without a src/ directory only got weekly scanning, not per-PR. Removed path filter — CodeQL now runs on every push/PR.

Medium issues fixed

• Issue 4: package.json homepage updated from GitHub README URL to the real landing page at https://sagar-grv.github.io/shipkit/
• Issue 5: Dependabot timezone was hardcoded to Asia/Kolkata. Changed to UTC for all users.

Low/polish fixed

• Bug 6: Missing spaces before arrows in dry-run output (codeql.yml<-, auto-merge.yml<-, health.yml<-)
• Issue 7: Typo // Uprade command corrected to // Upgrade command
• Issue 8: Removed No Node.js? Download from: .../releases from --help (no releases exist)
• Issue 9: README PowerShell install command | powershell corrected to | iex

Verified

• E2E test: empty project, github-homepage project, real-deploy project, full generation
• npm test passes (--help, --version, --dry-run, check, check --json)