v0.2.2 — signing flow migrated to Docker Hub

Completes the GHCR → Docker Hub migration started in v0.2.1. The platform-side (workflow + DOCKERHUB.md) shipped earlier today with kvendra-platform v0.1.0-alpha.0 signed release. This patch closes the reference-stack side.

Changes

• scripts/verify.sh: KVENDRA_IMAGES[] target switched from ghcr.io/kvendraai/kvendra-platform:0.1.0-alpha.0 to docker.io/kvendra/kvendra-platform:0.1.0-alpha.0. The cosign --certificate-identity-regexp is unchanged (still ^https://github\.com/KvendraAI/) because the OIDC identity that signs is GitHub Actions — the registry the image lives in is orthogonal to the signing identity.
• docs/signing.md: 4 ghcr.io references updated to docker.io (manual verify IMG, trust-chain diagram, cosign download attestation, release pipeline description). The maintainers section now documents the DOCKERHUB_USERNAME + DOCKERHUB_TOKEN secrets needed for the push leg.

Verified end-to-end

$ cosign verify docker.io/kvendra/kvendra-platform:0.1.0-alpha.0 \
    --certificate-identity-regexp '^https://github.com/KvendraAI/kvendra-platform/' \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com
✓ cosign claims validated
✓ Rekor transparency log verified
✓ Fulcio cert chain valid

Image digest: sha256:10f76875aea6712ed6e5b36f0ae55fb6886ed1264f5a712ec138ac2e40448a69.
SBOM (SPDX JSON) attached as a cosign attestation + as an asset on the kvendra-platform v0.1.0-alpha.0 release.

Closes

• ISSUE-KVD-REFERENCESTACK-E17E41 (signing migration GHCR → Docker Hub).

Self-hosted user flow now (complete)

git clone https://github.com/KvendraAI/kvendra-reference-stack
cd kvendra-reference-stack
cp .env.example .env
# Edit .env — paste your Kvendra API key (signup at https://kvendra.cloud)
./scripts/verify.sh    # cosign verify before pull
./scripts/up.sh        # 3 containers (db + platform + backup)