Add ExternalTrustSignalProvider adapter contract

[mdheller]

Summary

• Adds ExternalTrustSignalProvider schema for optional external identity, certificate-tier, reputation, counterparty, and registry lookup verifier inputs.
• Adds active and stale examples to prove usable vs unusable adapter results.
• Adds agent_machine.external_trust semantic validation with explicit freshness, signature, provider-ref, signal-type, safety, and non-authority checks.
• Wires external trust examples into governance validation and package validation.
• Documents the adapter boundary and updates Agent Registry grant docs so PCH/ERC-8004-style systems remain adapter-compatible prior art, not SourceOS authority.

Safety posture

External trust signals are never authorization. They only become optional verifier inputs for the local Agent Registry grant resolver when fresh, properly scoped, signed when required, and marked with authority: non-authoritative-verifier-input.

The contract explicitly forbids raw prompt content, KV-cache contents, private memory, API keys, wallet private keys, raw credentials, raw user data, and secrets in adapter payloads.

Validation

Expected validation paths:

• python3 scripts/validate-json.py
• python3 scripts/validate-governance.py
• python3 -m agent_machine.external_trust examples/external-trust-signal-provider.active.json --expect usable
• python3 -m agent_machine.external_trust examples/external-trust-signal-provider.stale.json --expect unusable
• make validate

Closes #13

[mdheller]

Status note: this PR captured the ExternalTrustSignalProvider contract work, but main advanced with the ReleaseEvidenceBundle lane after the branch was cut. The branch is now diverged and not currently mergeable. Next remediation is to replay this patch set onto external-trust-signal-provider-contract-v2, which is already branched from current main, then close this PR as superseded once the clean PR is open.