feat(fiber): transitionPolicy dial + auto-declared machines deps

[ottobot-ai]

Implements F6 + F7 of the fiber-ergonomics program (docs/proposals/fiber-ergonomics/03-cross-fiber-and-authorization.md). Stacked on #192 (the RFCs + the TransitionOwnerGateDivergenceSuite regression test this PR's fix flips green); retargets to main when #192 merges.

F7 — close the transition-authorization enforcement gap (the security fix)

Today the transition owner-gate is coded in validateSignedUpdate but not in the combiner, so the authoritative apply path advances committed state for any signer whose transition passes the guard (pinned by TransitionOwnerGateDivergenceSuite in #192). This PR makes signer-authorization actually bind, and makes the posture explicit:

• New TransitionPolicy ADT (Open rank 0 / OwnersOrParticipants rank 1 / Owners rank 2) + FiberPolicy.Constrained.transitionPolicy: Option = None. Option/omit-safe, bare-string codec, collapses through isEmpty/constrained like every other dial, and joins the tighten-only lattice as a rankUp dial (a migration may only go Open → OwnersOrParticipants → Owners, never launder back down).
• Enforced in the combiner (FiberCombiner.processFiberEvent, after the sequence check, before orchestrator.process) as a graceful CombineRejected — the authoritative-gate pattern registry/asset ops already use. Resolves verified signer addresses from update.proofs (mirrors the create path + updateSignedByOwnerOrParticipant).

⚠️ The absent-dial default is Open (deliberate, additive)

An absent transitionPolicy resolves to Open = today's live guard-only behavior, so every existing fiber is unchanged and apps opt up explicitly. This PR ships the mechanism only. Flipping the default to OwnersOrParticipants (restoring the declared gate) is a breaking, security-hardening decision deliberately reserved for maintainers (RFC §3.4 / §6 Q1) — it would break the "counterparty can sign" pattern MultiPartyTransitionSigningSuite encodes, so it must come with an engine-version bump + migration window + reconciling that suite. Not done here.

F6 — auto-declare static machines.$id read dependencies

StaticDependencyScan.staticMachineRefs walks a transition's guard/effect AST and returns every literally-referenced machines.<uuid> id; FiberEvaluator unions those into the runtime dependency set handed to ContextProvider.buildContext. Kills the silent-null trap (read a cross-fiber state without also hand-declaring the dep). A computed target id still needs an explicit dependencies entry / _addDependency — intentionally uncovered.

Invariant compliance (CLAUDE.md)

• docs: Comprehensive documentation overhaul #1: transitionPolicy is Option/omit-safe — absent ⇒ stripped by dropNulls ⇒ byte-identical canonical. PublishVersionSigningCanonicalSuite +2 cases (absent ⇒ byte-identical, set ⇒ round-trips). The F6 scan augments only the runtime dep set and never mutates the signed Transition.dependencies.
• Example: Agent Identity Lifecycle — Decentralized Agent Reputation Protocol #2: signer-auth + the dial are enforced as graceful CombineRejected in the combiner, never as a block-acceptance Invalid.
• Refactor: Extract shared test utilities and migrate example tests #3: the combiner check reads only the fiber's own hash-pinned policy dial + the stable owners/authorizedSigners record fields — no registry/asset lineage; validateSignedUpdate is untouched.

Tests

• New TransitionPolicyEnforcementSuite (Open applies a non-owner; Owners rejects; OwnersOrParticipants accepts a participant, rejects a stranger) and AutoDependencyScanSuite.
• PublishVersionSigningCanonicalSuite +2 cases.
• Full sharedData/test: 576 passed, 0 failed. The three named existing suites stay green: TransitionOwnerGateDivergenceSuite 1/1 (default-Open still applies — the gap is now opt-in closeable), MultiPartyTransitionSigningSuite 6/6, PublishVersionSigningCanonicalSuite 5/5. scalafmtCheckAll clean.

🤖 Generated with Claude Code