security(home): drop all neovim plugins to shrink supply-chain exposure (#259)

* chore(home): drop AstroNvim bundle and centralize editors

Remove the bundled Neovim plugin tree to shrink supply-chain exposure; keep a
minimal programs.neovim backup. Daily editing stays Helix-first with Yazi and
Zellij.

- Add Helix/Neovim docs, glossary, and cheatsheets under core/editors/.
- Default EDITOR/VISUAL to hx; use SUDO_EDITOR nvim --clean for sudoedit and
  other sensitive edits; adjust Nushell buffer_editor accordingly.
- Apply Helix Home Manager settings (keys, editor UI) in core/editors/helix.
- Keep heavy language-server tooling only in home/base/tui/editors/packages.nix;
  wire it via an explicit default.nix import so core stays lightweight.
- Extend modules/base packages.nix where that profile sets global editor env.

* docs: link editors, VS Code, and agents from README

Document tui/editors versus core/editors; add root README pointers to GUI
vscode (Home Manager) and agents/. Cross-link heavy packages README from
core/editors.

modules/base/packages.nix

@@ -1,14 +1,19 @@
 { pkgs, ... }:
 {
-  # for security reasons, do not load neovim's user config
-  # since EDITOR may be used to edit some critical files
-  environment.variables.EDITOR = "nvim --clean";
+  # Default editor: Helix (`hx`). Privileged edits (`sudoedit`, …) prefer `nvim --clean`
+  # via `SUDO_EDITOR`; invoke `nvim --clean` manually for other sensitive workflows.
+  environment.variables = {
+    EDITOR = "hx";
+    VISUAL = "hx";
+    SUDO_EDITOR = "nvim --clean";
+  };
 
   environment.systemPackages = with pkgs; [
     # core tools
     nushell # nushell
     fastfetch
-    neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    helix # default $EDITOR (`hx`)
+    neovim # backup editor; `nvim --clean` for sensitive / privileged edits (`$SUDO_EDITOR`)
     gnumake # Makefile
     just # a command runner like gnumake, but simpler
     git # used by nix flakes