fix(security): critical CLPc identity interface mismatch

[boris]

Vulnerability

Critical interface mismatch between CLPc and the deployed verifier contract.

CLPc calls isVerifiedChilean(address) but the deployed mock verifier exposes isVerified(address).
This can break verification-gated minting/transfers at runtime.

Changes in this PR

• add ZKPassportIdentityRegistryAdapter implementing IIdentityRegistry
• map isVerifiedChilean(user) -> verifier.isVerified(user)
• update deployment script to deploy:
  1. MockZKPassportVerifier
  2. ZKPassportIdentityRegistryAdapter
  3. CLPc using the adapter as identity registry
• add security write-up with exploit/repro and remediation steps:
  • docs/security/01-critical-interface-mismatch.md

How to verify / exploit (old behavior)

1. Deploy old script wiring verifier directly into CLPc.
2. Verify a user in verifier.
3. Call CLPc mint/transfer path that checks verification.
4. Observe failure due to missing isVerifiedChilean selector on verifier.

Remediation / migration steps

1. Deploy with updated script (verifier + adapter + token).
2. Update addresses in runtime env/config.
3. Re-run smoke checks:
   • verify user in verifier
   • canReceive(user)
   • mint to verified user
   • transfer verified -> verified
4. Mark old deployment as deprecated/incompatible.