Bundle 9 follow-up: ST1018 ESC sweep + make verify pre-commit gate

CI on the bundle-9 merge (run #24962543332) failed golangci-lint with 16
staticcheck ST1018 'string literal contains the Unicode format character
U+202X, consider using the \u202X escape sequence' hits — across the
two test files we added (internal/validation/unicode_test.go +
internal/connector/issuer/local/bundle9_coverage_test.go).

Mechanical sweep, byte-identical at runtime:

  internal/validation/unicode_test.go (13 + 1 hits cleared)
    RTL/LTR overrides U+202A..U+202E + U+2066..U+2069 (lines 39-47)
    zero-width U+200B..U+200D + U+2060 (lines 67-70)
    additional U+202E in TestValidateUnicodeSafe_ErrorMentionsByteOffset

  internal/connector/issuer/local/bundle9_coverage_test.go (3 hits)
    U+202E in TestValidateCSRUnicode_RejectsDNSNameRTL
    U+200B in TestValidateCSRUnicode_RejectsEmailZeroWidth
    U+202E in TestValidateCSRUnicode_RejectsAdditionalSAN

The strings now use Go \uXXXX escape sequences. Identical UTF-8 bytes
hit ValidateUnicodeSafe at runtime — every test passes unchanged
locally. The file-header comment in unicode_test.go that promised this
convention is now actually honored.

Verification: staticcheck -checks=ST1018 returns clean across the two
packages. go test -count=1 -short still green.

Pre-commit gate added to prevent recurrence:

  Makefile: new 'verify' aggregate target runs gofmt + go vet +
    golangci-lint run + go test -short — same set CI enforces. Run
    'make verify' before every commit going forward.

  cowork/CLAUDE.md: new 'Pre-commit verification gate' paragraph in
    Operating Rules. Documents make verify as the canonical gate;
    explains WHY (Bundle-9 shipped green-on-vet / red-on-CI because
    ST1018 only fires under golangci-lint's staticcheck, not vet);
    documents the staticcheck-only fallback for disk-constrained
    sandboxes.

This commit changes only:
  - 2 test source files (\uXXXX escapes, no behavior change)
  - Makefile (1 new target, 1 .PHONY entry, 1 help line)
  - cowork/CLAUDE.md (1 new operating-rule paragraph)

internal/validation/unicode_test.go

@@ -36,15 +36,15 @@ func TestValidateUnicodeSafe_RejectsRTLOverride(t *testing.T) {
 		name string
 		in   string
 	}{
-		{"LRE", "good‪com"},
-		{"RLE", "good‫com"},
-		{"PDF", "good‬com"},
-		{"LRO", "good‭com"},
-		{"RLO", "good‮com"},
-		{"LRI", "good⁦com"},
-		{"RLI", "good⁧com"},
-		{"FSI", "good⁨com"},
-		{"PDI", "good⁩com"},
+		{"LRE", "good\u202Acom"},
+		{"RLE", "good\u202Bcom"},
+		{"PDF", "good\u202Ccom"},
+		{"LRO", "good\u202Dcom"},
+		{"RLO", "good\u202Ecom"},
+		{"LRI", "good\u2066com"},
+		{"RLI", "good\u2067com"},
+		{"FSI", "good\u2068com"},
+		{"PDI", "good\u2069com"},
 	}
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
@@ -64,10 +64,10 @@ func TestValidateUnicodeSafe_RejectsZeroWidth(t *testing.T) {
 		name string
 		in   string
 	}{
-		{"ZWSP", "good​com"},
-		{"ZWNJ", "good‌com"},
-		{"ZWJ", "good‍com"},
-		{"WJ", "good⁠com"},
+		{"ZWSP", "good\u200Bcom"},
+		{"ZWNJ", "good\u200Ccom"},
+		{"ZWJ", "good\u200Dcom"},
+		{"WJ", "good\u2060com"},
 		{"BOM", "good\uFEFFcom"},
 	}
 	for _, c := range cases {
@@ -141,7 +141,7 @@ func TestValidateUnicodeSafe_AcceptsPureNonASCII(t *testing.T) {
 }
 
 func TestValidateUnicodeSafe_ErrorMentionsByteOffset(t *testing.T) {
-	in := "good‮evil.com"
+	in := "good\u202Eevil.com"
 	err := ValidateUnicodeSafe(in)
 	if err == nil {
 		t.Fatal("expected rejection")