Harden v1.1.0 commercial schema validation

[GsCommand]

Motivation

• Tighten v1.1.0 commercial schemas to make actor grammar and authorization semantics explicit and to detect accidental drift in duplicated canonical $defs without reintroducing _shared.
• Preserve flat, self-contained schema files and keep examples focused on single clear failures while ensuring CI validation remains strict and useful.

Description

• Require merchant in authorize.request by adding it to the top-level required array so authorize requests explicitly name the merchant counterparty (schemas/v1.1.0/commercial/authorize/authorize.request.schema.json).
• Make authorization_id conditional in authorize.receipt by removing it from the unconditional required list and adding a status-based if/then that requires authorization_id and approved_until when status is approved, and requires reason when status is denied, leaving pending free of forced fake details (schemas/v1.1.0/commercial/authorize/authorize.receipt.schema.json).
• Document requester as the initiator of a verification request and distinguish it from the receipt-side verifier in README.md, SPEC.md, and POLICY.md, and add brief property-level descriptions to the verify request schema (schemas/v1.1.0/commercial/verify/verify.request.schema.json, README.md, SPEC.md, POLICY.md).
• Add a lightweight canonical $defs consistency guard to scripts/validate-all.mjs that normalizes JSON and asserts exact equality for the intended duplicate defs: actor_identity, payer_actor, payee_actor, merchant_actor, provider_actor, carrier_actor, verifier_actor, reference, money, and payment_proof, failing with a helpful message on drift (scripts/validate-all.mjs).
• While validating, apply two minimal fixes so CI remains green: correct a broken $defs ref in verify.receipt ($defs.actor → $defs.actor_identity), remove a stale payment_ref from the purchase valid example, and update the authorize invalid example to still demonstrate a single focused failure (schemas/v1.1.0/commercial/verify/verify.receipt.schema.json, examples/v1.1.0/commercial/purchase/valid/900-purchase.receipt.valid.json, examples/v1.1.0/commercial/authorize/invalid/001-authorize.request.invalid.json).
• Regenerate checksums.txt to reflect the edited checksum-covered artifacts (checksums.txt).

Testing

• Ran npm run validate and the updated scripts/validate-all.mjs (which now includes canonical $defs consistency checks) and it completed successfully.
• Ran npm run validate:examples and all current-line valid/invalid examples validated successfully.
• Ran npm run generate:checksums and the checksum ledger was regenerated to cover the modified machine-artifact set.
• All automated checks passed after the described minimal fixes to the pre-existing blockers.

---

Codex Task