GNU mktemp wants 3+ X's in a -t template. The bare `mktemp -t skillcache`
and `mktemp -t skill` calls worked on macOS but crash on Linux before
the script does anything. test-cookbooks.sh fails the same way for all
5 cookbooks because it calls deploy --dry-run.
Adding .XXXXXX is portable: GNU expands the X's, BSD treats them as
prefix. Confirmed on Ubuntu 24.04 / coreutils 9.4: test-cookbooks goes
0/5 -> 5/5.
Param values for matter_id and clause are interpolated directly into the
steering-prompt templates. Their patterns previously permitted spaces, which
would let a hostile document smuggle a natural-language sentence into the
prompt through a field that looks like an ID. Restrict both to slug shape
(no spaces); descriptive context belongs in the note/event fields, which are
never interpolated and are wrapped in the data frame.
Also render templates via format_map with an empty-string default so an
optional param the template references (e.g. playbook_monitor's clause)
degrades gracefully instead of raising KeyError, and ignore __pycache__.
