Upstream 2026.06.16

[handstandsam]

Summary

Syncs the latest internal changes into the public repo through 2026.06.16. This is a cleanup + maintenance sync with no user-facing behavior changes:

• Vendor-neutral wording. Replaces references to a specific third-party test-management product in code comments, KDoc, test names, devlog prose, and CLI help text with generic terminology (e.g. "external test case", "test-management system", regression/… example trail paths, a sourceUrl metadata key). Strings and comments only — no runtime behavior changes.
• Removes unused progressive tool-loading machinery. Deletes the dead ToolLoadingStrategy enum, DynamicToolSetManager, and ToolSetManagementToolSet (and their tests), plus the toolLoadingStrategy config key. These were never wired into a live code path; tool exposure is governed by the existing McpToolProfile (FULL / MINIMAL).
• Dependency bump. micrometer 1.13.4 → 1.15.12 in the dependency-guard baselines.

Dependency-guard fix (also in this PR)

The micrometer bump above is a transitive force to patch CVE-2026-40984. That force previously lived only in the internal repo's root build.gradle.kts (not mirrored here), so the synced baselines said 1.15.12 while this repo actually resolved 1.13.4 → dependencyGuard failed. This PR adds a shared gradle/dependency-security.gradle.kts (applied from the root build) so this repo resolves the same 1.15.12, the baselines match, and the open-source build gets the CVE patch too. The internal counterpart is squareup/trailblaze-internal#3805.