v2.2.3 - EventChain round-2 audit fixes

Round-2 audit hardening. Closes the remaining canonicalization injectivity gaps: negative zero (stringifies to 0 yet is a distinct value), JSON-erased object and array metadata (symbol keys, non-enumerables, accessors, extra array props), and seal-head lone surrogates - all rejected fail-closed. Stored payloads are deep-cloned at every trust boundary so no external reference can mutate signed chain state.