[Change] Publisher Identity and Module Trust Chain

[djm81]

Why

marketplace-02 provides multi-registry support but modules carry no publisher attestation beyond a simple publisher string. To enable a verified third-party module ecosystem, the CLI needs a CA-style publisher identity system: NOLD AI vouches for publisher identity and module integrity, but not for module content or behaviour. Publishers host their own artifacts; NOLD AI hosts only the trust index.

What Changes

• NEW: src/specfact_cli/trust/ — trust orchestration layer (resolver.py, publisher_registry.py, key_store.py)
• MODIFY: src/specfact_cli/registry/crypto_validator.py — extend validate_module() with verified and community tier branches (official path unchanged)
• MODIFY: src/specfact_cli/modules/module_registry/src/ — trust verification at install; trust tier badges in search/info; --trust-community / --trust-unregistered flags with audit logging
• MODIFY: scripts/publish-module.py — add NOLD AI registry endorsement countersignature step
• NEW: scripts/sign-publishers.py — CI script to sign publishers/index.json
• NEW: docs/guides/publisher-trust.md — user-facing trust tier guide

Acceptance Criteria

• specfact module install @mycompany/specfact-jira-sync verifies publisher attestation and registry endorsement before installing
• specfact module search shows tier badges: [official], [verified], [community], [unregistered]
• Community modules prompt before install; unregistered modules are blocked unless --trust-unregistered
• ~/.specfact/module-audit.log records all trust-override installs
• All public APIs have @icontract and @beartype decorators
• Existing official-tier install path has zero regressions

OpenSpec Change Proposal: marketplace-03-publisher-identity