feat: P0 KernelClient功能修复 + P1/P2/P3质量改进

P0 KernelClient 功能断裂修复:
- Skill CUD: registry.rs create/update/delete + serialize_skill_md + kernel proxy
- Workflow CUD: pipeline_commands.rs create/update/delete + serde_yaml依赖
- Agent更新: registry update方法 + AgentConfigUpdated事件 + agent_update命令
- Hand流式事件: HandStart/HandEnd变体替换ToolStart/ToolEnd
- 后端验证: hand_get/hand_run_status/hand_run_list确认实现完整
- Approval闭环: respond_to_approval后台spawn+5分钟超时轮询

P2/P3 质量改进:
- Browser WebDriver: TCP探测ChromeDriver/GeckoDriver/Edge端口替换硬编码true
- api-fallbacks: 移除假技能和16个捏造安全层，替换为真实能力映射
- dead_code清理: 移除5个模块级#![allow(dead_code)]，删除3个真正死方法，
  删除未注册的compactor_compact_llm命令，warnings从8降到3
- 所有变更通过cargo check + tsc --noEmit验证

desktop/src/lib/api-fallbacks.ts

@@ -182,12 +182,8 @@ export function getUsageStatsFallback(sessions: SessionForStats[] = []): UsageSt
  */
 export function getPluginStatusFallback(skills: SkillForPlugins[] = []): PluginStatusFallback[] {
   if (skills.length === 0) {
-    // Return default built-in skills if none provided
-    return [
-      { id: 'builtin-chat', name: 'Chat', status: 'active', description: '基础对话能力' },
-      { id: 'builtin-code', name: 'Code', status: 'active', description: '代码生成与分析' },
-      { id: 'builtin-file', name: 'File', status: 'active', description: '文件操作能力' },
-    ];
+    // No skills loaded — return empty rather than fabricating fake builtins
+    return [];
   }
 
   return skills.map((skill) => ({
@@ -215,26 +211,17 @@ export function getScheduledTasksFallback(triggers: TriggerForTasks[] = []): Sch
 
 /**
  * Default security status when /api/security/status returns 404.
- * ZCLAW has 16 security layers - show them with conservative defaults.
+ * Returns honest minimal response — only includes layers that correspond
+ * to real ZCLAW capabilities, no fabricated layers.
  */
 export function getSecurityStatusFallback(): SecurityStatusFallback {
   const layers: SecurityLayerFallback[] = [
-    { name: 'Input Validation', enabled: true, description: '输入验证' },
-    { name: 'Output Sanitization', enabled: true, description: '输出净化' },
-    { name: 'Rate Limiting', enabled: true, description: '速率限制' },
-    { name: 'Authentication', enabled: true, description: '身份认证' },
-    { name: 'Authorization', enabled: true, description: '权限控制' },
-    { name: 'Encryption', enabled: true, description: '数据加密' },
-    { name: 'Audit Logging', enabled: true, description: '审计日志' },
-    { name: 'Sandboxing', enabled: false, description: '沙箱隔离' },
-    { name: 'Network Isolation', enabled: false, description: '网络隔离' },
-    { name: 'Resource Limits', enabled: true, description: '资源限制' },
-    { name: 'Secret Management', enabled: true, description: '密钥管理' },
-    { name: 'Certificate Pinning', enabled: false, description: '证书固定' },
-    { name: 'Code Signing', enabled: false, description: '代码签名' },
-    { name: 'Secure Boot', enabled: false, description: '安全启动' },
-    { name: 'TPM Integration', enabled: false, description: 'TPM 集成' },
-    { name: 'Zero Trust', enabled: false, description: '零信任' },
+    { name: 'device_auth', enabled: true, description: '设备认证' },
+    { name: 'rbac', enabled: true, description: '角色权限控制' },
+    { name: 'audit_log', enabled: true, description: '审计日志' },
+    { name: 'approval_gate', enabled: true, description: '操作审批门' },
+    { name: 'input_validation', enabled: true, description: '输入验证' },
+    { name: 'secret_storage', enabled: true, description: '密钥安全存储 (OS keyring)' },
   ];
 
   const enabledCount = layers.filter((l) => l.enabled).length;