Add WallGuard clean-room synthesis contract

[mdheller]

Summary

Adds a WallGuard clean-room synthesis contract surface for Holmes.

This PR introduces:

• schemas/wallguard-clean-room-synthesis.schema.json
• examples/wallguard-clean-room-synthesis.valid.json
• examples/wallguard-clean-room-synthesis.cross-wall.rejected.json
• examples/wallguard-clean-room-synthesis.bad-clean-room.rejected.json
• tools/validate_wallguard_clean_room_synthesis.py
• make validate-wallguard-clean-room-synthesis

Scope

Contract and fixture validation only. This does not implement live synthesis, runtime policy evaluation, model invocation, or artifact export.

Semantics covered

• same-wall synthesis must keep output wall_restricted
• clean-room release requires clean_room_release_allowed
• clean-room release must exclude restricted payloads
• source labels must be preserved
• broader release classifications require restricted payload exclusion
• residual restrictions must remain attached

Links

• Parent spine: WallGuard spine: canonical clean-room implementation map sociosphere#392
• Issue: WallGuard clean-room synthesis path #12
• Doctrine: Add WallGuard information-barrier doctrine ProCybernetica#103
• Sherlock pre-rank retrieval: Add WallGuard pre-rank retrieval filter contract sherlock-search#61
• Memory compartment gate: Add WallGuard memory compartment gate memory-mesh#33
• Guardrail binding: Add WallGuard guardrail binding contract guardrail-fabric#32
• Agent context: Add WallGuard agent wall-context contract agent-registry#45
• Related policy schema PR: Add WallGuard policy decision schema v0 policy-fabric#87

Validation

Not yet run in CI at PR creation. Manual diff review confirms six files changed and Makefile only adds the WallGuard validation target into validate-contracts.

Expected validation command:

make validate-wallguard-clean-room-synthesis

Known gaps

This is not the full Holmes clean-room synthesis runtime. It is the first contract/fixture surface for WallGuard clean-room synthesis and release constraints.