Security: document trust boundaries and secure defaults for host-provided extension points

[blindzero]

Problem

Even with "data-only" workflow configs, the engine has host-provided extension points (providers, registries, sinks). These require an explicit trust model. Today the trust boundary is not clearly documented and defaults may allow risky behavior.

Goal

• Clearly document which inputs must be trusted (host responsibility).
• Ensure defaults minimize risk ("secure by default").

Scope

• Documentation updates (README + architecture/docs + examples):
  • Providers.StepRegistry is trusted host input
  • Context.EventSink is trusted host input
  • Explain "safe by default" policy & how to opt-in for dev/test
• Runtime enforcement:
  • Defaults reject ScriptBlock handlers/sinks (see related issues)
  • Errors/warnings are actionable and point to docs

Acceptance criteria

• Docs contain a dedicated "Security / Trust Model" section.
• Examples show the recommended safe pattern (object sink contract; handler names, no ScriptBlocks).
• Engine emits clear errors when unsafe inputs are detected (and links users to docs location/path).

Related

• Refactor eventing into one sink contract
• Disallow ScriptBlock step handlers by default