feat: canonicalize provider contracts

[intel352]

Summary

• expand compute-core provider catalog contracts with org/pool access policy, operations, artifact specs, upstream evidence, and conformance evidence
• align validation with workflow-compute's provider contract boundary for richer security/proof tiers while rejecting runtime-only trusted-native/receipt-only declarations
• document compute-core as the portable provider-facing base contract rather than an application/runtime owner

TDD evidence

With implementation absent:

$ GOWORK=off go test ./protocol -run 'AccessScoped|PoolWithoutOrg|ProviderWorkload|DuplicateArtifact|RealClient|RequiresUpstream|RuntimeOnly|ConformanceEvidence' -count=1
FAIL — compute-core lacked OrgID/PoolID/AccessPolicy/Operations/ProviderConformanceEvidence fields and richer constants

Adversarial follow-up found version drift in SupportsProduct:

$ GOWORK=off go test ./protocol -run MismatchedProductVersion -count=1
FAIL — mismatched product provider_config.version was accepted

With fixes restored:

$ GOWORK=off go test ./protocol -run 'AccessScoped|PoolWithoutOrg|ProviderWorkload|DuplicateArtifact|RealClient|RequiresUpstream|RuntimeOnly|ConformanceEvidence|MismatchedProductVersion' -count=1
PASS

Verification

• GOWORK=off go test ./... -v -race -count=1
• GOWORK=off go build ./...
• GOWORK=off go vet ./...
• git diff --check
• GOWORK=off go run ./cmd/wfctl plugin validate-contract /Users/jon/workspace/workflow-plugin-compute-core from /Users/jon/workspace/workflow