refactor: remove remote module install, extract bread-sync, make CI real

Security:
- Remove `bread modules install github:…`. Remote fetch pulled unreviewed
  third-party Lua and ran it with full bread.exec() privileges in an
  unsandboxed runtime. Module install is now local-only; parse_source
  rejects github:/git: with an explicit message.

bread-sync extracted from the workspace (parked for its own project):
- Removed from workspace members (now excluded); see bread-sync/EXTRACTION.md
- Removed the entire `bread sync` CLI surface and now-unused deps
  (bread-sync, reqwest, tar, flate2; tempfile demoted to dev-dependency)
- Removed the sync.status IPC method from breadd plus its integration tests
- Moved the generic `expand_path` helper into bread-shared (with unit tests)

CI now actually runs and gates quality:
- Trigger on master/dev (was `main` — CI had never run, not once)
- Added `cargo fmt --check` and `clippy -D warnings`; fixed 4 clippy warnings
- Dropped the macOS matrix entry (breadd is Linux-only: udev/rtnetlink);
  added the libudev-dev system dependency the Linux build needs

Hardening / honesty:
- New ipc test: daemon survives repeated reloads and the event pipeline
  resumes (the prior suite only had a single happy-path reload check)
- Docs scrubbed of sync across README/Documentation/Overview/DAEMON
- "production-ready" and "compositor-agnostic" claims reworded to match
  reality rather than aspiration

Note: bread-sync/src/export.rs held pre-existing local WIP authored outside
this change set and is intentionally excluded from this commit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

bread-shared/src/lib.rs

@@ -89,11 +89,53 @@ pub fn now_unix_ms() -> u64 {
         .as_millis() as u64
 }
 
+/// Expand a leading `~` or `~/` in a path string to the user's home directory.
+///
+/// Falls back to returning the path unchanged if `$HOME` is unset, which keeps
+/// callers infallible. Shared by the daemon and CLI for resolving
+/// user-supplied paths (config entries, module install sources).
+pub fn expand_path(path: &str) -> std::path::PathBuf {
+    use std::path::PathBuf;
+    let home = std::env::var("HOME").ok();
+    if path == "~" {
+        if let Some(home) = home {
+            return PathBuf::from(home);
+        }
+    } else if let Some(rest) = path.strip_prefix("~/") {
+        if let Some(home) = home {
+            return PathBuf::from(home).join(rest);
+        }
+    }
+    PathBuf::from(path)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
     use serde_json::json;
 
+    #[test]
+    fn expand_path_leaves_non_tilde_paths_unchanged() {
+        use std::path::PathBuf;
+        assert_eq!(expand_path("/abs/path"), PathBuf::from("/abs/path"));
+        assert_eq!(expand_path("relative/x"), PathBuf::from("relative/x"));
+        assert_eq!(expand_path("./x"), PathBuf::from("./x"));
+        // A `~` not in leading position is not special.
+        assert_eq!(expand_path("/etc/~weird"), PathBuf::from("/etc/~weird"));
+    }
+
+    #[test]
+    fn expand_path_expands_leading_tilde() {
+        // Read-only env access; safe under parallel test execution.
+        if let Ok(home) = std::env::var("HOME") {
+            assert_eq!(expand_path("~"), std::path::PathBuf::from(&home));
+            assert_eq!(
+                expand_path("~/.config/bread"),
+                std::path::PathBuf::from(&home).join(".config/bread")
+            );
+        }
+    }
+
     #[test]
     fn adapter_source_serializes_as_snake_case() {
         assert_eq!(