fix(docs): repoint canonical to authsome.ai and drop dead links

docs/site/concepts/credential-storage.mdx

@@ -102,7 +102,7 @@ For example, a sample stored ciphertext looks like:
 This is the format `LocalFileCrypto.encrypt` and `KeyringCrypto.encrypt` produce in `src/authsome/vault/crypto.py`.
 
 <Note>
-  The portable spec ([`docs/specs/authsome-v1.md` §11.4](https://github.com/manojbajaj95/authsome/blob/main/docs/specs/authsome-v1.md)) defines a richer JSON envelope (`{enc, alg, kid, nonce, ciphertext, tag}`) as the cross-language interop target. The current Python implementation uses the compact format above; a future migration may switch to the JSON envelope when a second-language port lands.
+  A future portable spec will define a richer JSON envelope (`{enc, alg, kid, nonce, ciphertext, tag}`) as the cross-language interop target. The current Python implementation uses the compact format above; a future migration may switch to the JSON envelope when a second-language port lands.
 </Note>
 
 ## The three states

docs/site/docs.json

@@ -30,7 +30,7 @@
   "seo": {
     "indexing": "all",
     "metatags": {
-      "canonical": "https://authsome.agentr.dev/docs",
+      "canonical": "https://authsome.ai/docs",
       "title-template": "%s · Authsome",
       "og:site_name": "Authsome Docs",
       "og:type": "website",
@@ -271,7 +271,7 @@
       {
         "header": "Product",
         "items": [
-          { "label": "Home", "href": "https://authsome.agentr.dev" },
+          { "label": "Home", "href": "https://authsome.ai" },
           { "label": "GitHub", "href": "https://github.com/agentrhq/authsome" },
           { "label": "PyPI", "href": "https://pypi.org/project/authsome/" }
         ]

docs/site/guides/custom-providers.mdx

@@ -20,7 +20,7 @@ Before you start:
 3. For OAuth2, find the `authorization_url`, `token_url`, supported scopes, and whether PKCE / device code / Dynamic Client Registration are supported.
 4. For API key, find the header name and prefix the provider expects.
 
-Then write the JSON file following the schema at https://authsome.agentr.dev/docs/reference/provider-schema.
+Then write the JSON file following the schema at https://authsome.ai/docs/reference/provider-schema.
 
 Output:
 

docs/site/roadmap.mdx

@@ -8,8 +8,6 @@ keywords: ["authsome roadmap", "authsome planned features", "identity policy aud
 
 Authsome's architecture is layered: identity, policy, vault, auth, audit. v1 ships Vault, Auth, and the proxy orchestrator. Identity, Policy, and Audit are documented in the design but not yet enforced. This page is the honest tracker for what's coming and what isn't.
 
-The canonical design document is [`authsome-design.md`](https://github.com/agentrhq/authsome/blob/main/docs/authsome-design.md) in the source tree.
-
 ## Landed in v1
 
 - **Vault** <Badge color="green">Shipped</Badge> Encrypted SQLite per profile with AES-256-GCM. Local file or OS keyring backend for the master key. See [Encryption at rest](/security/encryption).
@@ -50,7 +48,7 @@ Re-encrypt every record under a new master key without losing state. The wire fo
 
 ## Recently open questions
 
-These are tracked in [`authsome-design.md`](https://github.com/agentrhq/authsome/blob/main/docs/authsome-design.md) under "Open Questions". They are unresolved enough to call out separately.
+The following are unresolved enough to call out separately from the planned work above.
 
 | Question | Status |
 |----------|--------|

docs/site/security/daemon-trust-boundary.mdx

@@ -46,7 +46,7 @@ The daemon ships without these and we plan to add them:
 - **No persistent session store.** A restart loses any login that is mid-flight. The user re-runs the login.
 - **No process-level isolation between the daemon and the proxy.** Both run in the daemon's address space. A bug in one is reachable from the other.
 
-These are tracked in [`authsome-design.md`](https://github.com/agentrhq/authsome/blob/main/docs/authsome-design.md) under "Open Questions" and on the roadmap.
+These are tracked on the [roadmap](/roadmap).
 
 ## When the model is adequate
 

docs/site/security/disclosure.mdx

@@ -3,21 +3,21 @@ title: "Responsible disclosure"
 sidebarTitle: "Disclosure"
 description: "How to report a security issue in authsome."
 icon: "envelope"
-keywords: ["authsome security disclosure", "authsome vulnerability report", "responsible disclosure", "security@agentr.dev"]
+keywords: ["authsome security disclosure", "authsome vulnerability report", "responsible disclosure"]
 ---
 
 If you find a security issue in authsome, please tell us privately so we can fix it before it's public.
 
 ## How to report
 
-Email **security@agentr.dev** with:
+Open a [private security advisory on GitHub](https://github.com/agentrhq/authsome/security/advisories/new) and include:
 
 - A clear description of the issue and its impact.
 - Steps to reproduce. A minimal proof of concept is ideal.
 - Affected versions if you've narrowed it down (`uvx authsome --version`).
 - Your name and a way to credit you in the fix announcement, if you'd like credit.
 
-If email isn't an option, open a [private security advisory on GitHub](https://github.com/agentrhq/authsome/security/advisories/new).
+Private advisories are visible only to repository maintainers until coordinated disclosure.
 
 ## What to expect
 

docs/site/security/encryption.mdx

@@ -50,7 +50,7 @@ A sample record looks like:
 This is produced by `LocalFileCrypto.encrypt` and `KeyringCrypto.encrypt` in `src/authsome/vault/crypto.py`.
 
 <Note>
-  The portable spec ([`docs/specs/authsome-v1.md` §11.4](https://github.com/agentrhq/authsome/blob/main/docs/specs/authsome-v1.md)) defines a richer JSON envelope (`{enc, alg, kid, nonce, ciphertext, tag}`) as the cross-language interop target. The Python implementation uses the compact format above; a future release may migrate to the JSON envelope when a second-language port lands.
+  A future portable spec will define a richer JSON envelope (`{enc, alg, kid, nonce, ciphertext, tag}`) as the cross-language interop target. The Python implementation uses the compact format above; a future release may migrate to the JSON envelope when a second-language port lands.
 </Note>
 
 ## Master key backends