Fix security, correctness, and docs issues in file-writing feature

[Copilot]

Seven issues from PR review addressed across grok_bridge.py and README.md.

Security

• Path traversal — parse_and_write_files() was writing model-supplied paths directly to disk. Added _safe_dest() using Path.relative_to() to reject absolute paths, .. segments, and any resolved path escaping output_dir.

Correctness

• Byte count — write_text() returns char count, not bytes. Replaced with encode("utf-8") + write_bytes(); reported count now matches actual file size for non-ASCII content.
• --write-files + --output coexistence — --write-files was silently skipped when --output was set. Both flags now work independently.
• No-files-found behavior — When --write-files finds no annotated blocks, a short stderr diagnostic is emitted instead of dumping the full model response to stdout (defeating the feature's purpose).
• stdout/stderr split — Write summary (including "Total:") is now consistently on stdout; stderr reserved for diagnostics.

Code quality

• Extracted repeated path-validate/encode/write logic into inner _write_file() helper to remove duplication.

Docs

• README nested backtick fences — Inner fences in Supported Patterns section were terminating outer fences; replaced with 4-space-indented blocks.
• API key resolution docs — Removed references to non-existent XAI_API_KEY and ~/.config/grok-swarm/config.json; updated to match actual get_api_key() logic (OPENCLAW_OPENROUTER_DEFAULT_KEY, all four OpenClaw auth-profile paths).

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.