Security hardening release. Software-only (non-hardware-backed) claims now return partially_verified instead of verified (fail-closed); a real verification failure is never downgraded. An external-execution receipt whose linked_call_id does not match the entry is no longer reported signature-valid.