Add Prophet Trust Chain supply-chain validation artifacts

[mdheller]

Summary

Implements the first AgentPlane slice for Prophet Trust Chain supply-chain validation evidence.

This PR adds SupplyChainValidationArtifact as a contract surface binding runtime supply-chain evidence to AgentPlane validation, replay, and receipt evidence.

Closes #261.

Changes

• Add schema: schemas/trust-chain/supply-chain-validation-artifact.v0.1.schema.json
• Add valid fixture: tests/fixtures/trust-chain/supply-chain-validation.valid.json
• Add blocked fixture: tests/fixtures/trust-chain/supply-chain-validation.blocked.json
• Add validator: tools/validate_trust_chain_supply_chain_validation.py
• Add tests: tools/tests/test_trust_chain_supply_chain_validation.py
• Update README with Trust Chain supply-chain validation docs and boundary language

Acceptance coverage

The valid fixture requires SBOM, VEX, lockfile, signature, scan, promotion, rollback, policy, guardrail, validation, replay, and runtime receipt references before production-scope execution and promotion are allowed.

The blocked fixture denies execution and promotion, requires repair and human review, and preserves remediation authority.

The validator enforces:

• schema shape;
• production validated records require all core evidence refs;
• production validated records require policy, guardrail, validation, replay, and runtime receipt refs;
• blocked records deny execution and promotion;
• blocked records require repair and human review;
• remediation steps require authority and must be required before execution.

Boundary

This does not perform live package scanning, certify runtime production readiness by itself, replace Lattice Forge runtime evidence, replace Policy Fabric policy profiles, or replace Guardrail Fabric action admission.

Validation

Expected:

python3 tools/validate_trust_chain_supply_chain_validation.py
python3 -m pytest -q tools/tests/test_trust_chain_supply_chain_validation.py