Tighten security docs, require Node 22, mark archive scripts as historical

[GsCommand]

Motivation

• Provide minimal, credible security guidance and a clear private reporting path for integrity issues that affect identity, routing, discovery, or release provenance.
• Make the runtime requirement explicit so toolchain/CI assumptions are visible to maintainers and contributors.
• Prevent accidental use of legacy migration helpers by surfacing a clear archival warning where contributors read release/update guidance.
• This patch intentionally documents the existing repo contact (dev@commandlayer.org) rather than inventing a staffed security alias, which remains a known limitation.

Description

• Expanded SECURITY.md into a short, serious policy that directs private reports to dev@commandlayer.org, lists the kinds of issues to report, requests coordinated disclosure, and sets a conservative response expectation. (file: SECURITY.md).
• Aligned provenance guidance in SECURITY_PROVENANCE.md to point reporters to dev@commandlayer.org and kept provenance details minimal and consistent. (file: SECURITY_PROVENANCE.md).
• Added an explicit Node engine requirement "engines": { "node": ">=22 <23" } and fixed the default validate script to call the real entrypoint in package.json. (file: package.json).
• Marked scripts/archive/ as historical-only by adding a short note under the Legacy / compatibility section in ONBOARDING.md so contributors see this before running old scripts. (file: ONBOARDING.md).
• Updated discovery descriptors to include the publication_model metadata expected by the descriptor schema so validation aligns with declared provenance, and regenerated checksums.txt. (files: .well-known/agent.json, .well-known/agent-cards-v1.1.0.json, checksums.txt).
• Repaired scripts/validate-cards.mjs to restore correct mode handling and validations (current vs legacy), add explicit source/mirror roots used in expectations, and tighten legacy placeholder checks; this preserves the intended validation flows without changing release behavior. (file: scripts/validate-cards.mjs).

Testing

• Ran node -v to confirm runtime (reported v22.x).
• Regenerated checksums with node scripts/generate-checksums.mjs, which wrote an updated checksums.txt (success).
• Executed npm run validate (which runs npm run validate:current and npm run validate:checksums) and observed successful current-line validation and checksum verification.
• Executed npm run validate:legacy and observed successful legacy-line validation.
• Result: automated validation and checksum verification passed after the changes; no new CI changes were required.

---

Codex Task