chore: add Mythos bug-hunt pipeline + AGENTS.md restructure

[avrabe]

Summary

• Scaffolds scripts/mythos/ with a four-prompt Mythos-style agentic bug-hunt pipeline (rank → discover → validate → emit) plus portable HOWTO.md
• Migrates substantive project guidance from CLAUDE.md to AGENTS.md (tool-neutral canonical file); slims CLAUDE.md to a thin pointer mandating AGENTS.md
• Adds a pre-release Mythos delta-pass step (tier-5 for patches, tier-5+4 for minors, full tier-5 for majors/LTS)
• Bumps examples/wasmtime-loader wasmtime 37 → 43 to clear the April 2026 CVE patch floor
• No runtime code change — all modifications are in docs, prompts, and example deps

Context

The Mythos pipeline is modeled on Anthropic's Claude Mythos Preview (April 2026). Key discipline: every confirmed finding requires a failing PoC test plus a failing formal-verification harness (Kani/Verus/SMT). When a formal oracle cannot reach a property — e.g., Kani/CBMC OOMs on std::io symbolic execution — cite the nearest primitive-layer proof and document the limitation. This is spelled out in AGENTS.md under "Kani scope limitation" so future sessions treat CBMC OOM as "tool cannot reach" rather than "verification succeeded".

A related PR will follow (PR 2) with the first Mythos finding applied to signature/sig_sections.rs (silent swallow of cert_count parse errors → certificate-chain downgrade). That PR is decoupled from this one because this PR contains zero runtime code change.

Test plan

• CI passes on rust.yml (should — no runtime code change)
• CI passes on wasm-signing.yml end-to-end
• fuzz.yml passes
• memory.yml passes
• Verify AGENTS.md renders correctly on GitHub
• Verify scripts/mythos/HOWTO.md renders correctly
• Confirm rivet init --agents regeneration risk is understood — manually-maintained section in AGENTS.md is marked; future rivet tooling should preserve it

🤖 Generated with Claude Code

[avrabe]

Update — reverted the wasmtime-loader bump

CI (cargo on both macos-latest and ubuntu-latest) failed on the Build Examples step with:

error[E0599]: the method `with_context` exists for enum `Result<Component, wasmtime::Error>`,
              but its trait bounds were not satisfied
  --> src/main.rs:84:10

Root cause: wasmtime 43's wasmtime::Error no longer implements anyhow::StdError, so Context::with_context from anyhow doesn't apply anymore. PR #82 (which bumped the main lib 29→43) left examples/wasmtime-loader on 37 for exactly this reason.

Reverted the example's Cargo.toml back to wasmtime = "37.0" in commit 86be40b. Bumping the example to 43 properly requires porting the example's error handling (use wasmtime's own helpers or explicit map_err), which is out of scope for this pipeline-scaffolding PR.

Net effect: PR is now truly zero runtime code change — only scripts/mythos/, AGENTS.md, and CLAUDE.md modifications remain.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!