Add lifecycle boundary decision contracts

[mdheller]

Summary

Implements the first concrete tranche for #113: SourceOS now has explicit lifecycle-boundary contracts separating policy evaluation, runtime effect decisions, and grant/authority-state decisions.

This applies the discipline established across AgentPlane, Guardrail Fabric, Agent Registry, Model Governance Ledger, and Prophet Platform:

evidence/event envelope = observed fact or receipt
policy decision = governed policy evaluation
runtime effect/admission = execution/control decision
authority/grant mutation = registry/grant-state decision
ledger/state report = evidence record only

Adds

• schemas/runtime-effect-decision.v1.1.json
• schemas/grant-state-decision.v1.1.json
• examples/runtime-effect-decision.valid.json
• examples/runtime-effect-decision.authority-mutated.invalid.json
• examples/grant-state-decision.valid.json
• examples/grant-state-decision.missing-authorization.invalid.json
• tools/validate_lifecycle_boundary_examples.py

Updates

• Makefile
  • adds validate-lifecycle-boundary-examples
  • wires it into make validate

Guardrails encoded

• Runtime-effect decisions cite policy decisions and evidence refs but do not mutate authority.
• Runtime-effect decisions do not write ledger records.
• Grant-state decisions require explicit authorization policy and evidence refs.
• Grant-state decisions distinguish unchanged/reduced/suspended/revoked/restored authority.
• Revoked grant-state decisions require all authority effects to be revoked.
• Negative fixtures reject collapsed runtime-effect → authority mutation and grant-state mutation without authorization.

Boundary

This PR does not implement runtime execution, SyncD changes, AgentTerm dispatch changes, or model carry behavior. It is a schema/fixture/validator hardening pass so later implementation work does not collapse evidence, policy, runtime effect, and authority mutation.

Closes #113.