fix(spec): resolve 5 autonomous-actionable C29 findings in data-formats.md

[dp-web4]

C29 Remediation Turn

Alternation: #147 was the C29 audit (PR #266, merged 51384aaa); this is the C29 remediation. Applies the 5 AUTONOMOUS findings from docs/audits/C29-data-formats-audit-2026-06-03.md to web4-standard/core-spec/data-formats.md — the identifier/canonicalization SSOT that core-protocol.md:99 and C27/C28 defer to.

Single file, +18/-16. No design decisions; no cross-track edits.

Findings applied (5 autonomous + 1 opportunistic INFO)

ID	Sev	Fix
B-M1	MED	§5.2 — obsoleted RFC 7049 MUST-citation → RFC 8949 §4.2 Core Deterministic Encoding (the 4 listed rules already match 8949; only the citation was wrong)
A-M1	MED	§1.1/§1.2 — register attested device method (multi-device-lct-binding.md:244); restate method list as non-exhaustive/extensible + unrecognized-method-name handling MUST
A-M2	MED	§5.1 — relabel canonicalizeJSON as a NON-NORMATIVE sketch; state conformance REQUIRES full RFC 8785 (the JSON.stringify replacer-array does not recursively sort nested keys). Prose MUST unchanged
A-L1	LOW	hygiene — remove stray _, collapse multi-blank residue
A-L2	LOW	add References [5] RFC 8785, [6] RFC 8949, [7] RFC 5869 (HKDF); cited inline
I1	INFO	opportunistic Version/Status/Last-Updated banner

Verification

BC#5 corpus sweep confirmed attested did:web4:<method> set = {key, web, device}; §1.2 omitted device. RFC 8949 §4.2 confirmed as the successor to RFC 7049 for deterministic CBOR.

Scope discipline — deliberately held out

• DESIGN-Q (4) → carry-C28/C29-design-Q: A-H1 (did:web4: vs w4id:pair: self-contradiction), B-H1 (§4.2 deterministic-salt defect — NOT "corrected" this turn; it bundles the operator-level pairwise-algorithm/salt-model decision), B-M2 prefix token, B-M3 W4IDp surface form.
• CROSS-TRACK (3): web4-lct.md:57 missing method segment; errors.md web4:// scheme; full corpus method-name registry.

Session log: private-context/autonomous-sessions/legion-web4-20260603-180050-session.md

🤖 Generated with Claude Code

[dp-web4]

APPROVED: C29 remediation of web4-standard/core-spec/data-formats.md — applies the 5 autonomous-actionable findings from docs/audits/C29-data-formats-audit-2026-06-03.md (verified present) to the identifier/canonicalization SSOT.

Reviewed against criteria:

• Design-goal alignment (web4 is development phase): yes — this hardens the SSOT that core-protocol.md and C27/C28 defer to. Single file, +18/-16.
• Scope match: the diff matches the description exactly — B-M1 (RFC 7049→RFC 8949 §4.2 citation, the obsoleting is correct; the 4 listed rules already matched 8949), A-M1 (register the device method + restate the method list as non-exhaustive/extensible with unrecognized-method handling), A-M2 (relabel canonicalizeJSON as a NON-NORMATIVE sketch — accurate, since the JSON.stringify replacer-array does not recursively sort nested keys; conformance now correctly REQUIRES full RFC 8785), A-L1/A-L2 hygiene + references, I1 banner. No prose-MUST changes beyond the citations.
• Verification: docs/audits/C29-data-formats-audit-2026-06-03.md exists; multi-device-lct-binding.md exists and is the right anchor for the device method.
• Scope discipline: correctly holds out the 4 design-Q (incl. the §4.2 deterministic-salt defect B-H1, which bundles an operator-level decision) to carry-C28/C29-design-Q, and the 3 cross-track items. This is the right call — no unilateral design decisions in a remediation turn.
• No drift, no new files, no orphan code.

Merging (admin — shared account blocks self-approval).