Add deep verification for composite/docker actions

For non-JS actions the script previously just printed "SKIPPED". Now it
performs comprehensive analysis:

- Recursive nested action inspection (all types, not just composite),
  with trusted org skip for actions/ and github/
- Dockerfile analysis (base image pinning, suspicious commands)
- Script pattern scanning (eval, exec, pipe-to-shell, obfuscation)
- Dependency pinning checks (Python requirements, package.json, lock files)
- Action metadata analysis (shell injection, GITHUB_ENV writes, secrets)
- Repository metadata (license, security policy, well-known org)
- Structured verification summary table with nested actions sub-table
- Interactive open-in-browser + approve flow after verification
- All prompts now support 'q' to quit cleanly
- Extract action refs from actions.yml entries in PR diffs (--from-pr)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: potiuk