fix: harden module lifecycle bootstrap and signing workflows

[djm81]

Description

Implements backlog-core-05 user module bootstrap and module security hardening end-to-end.

Main outcomes:

• Module lifecycle moved fully into specfact module command group (deprecated specfact init module flags removed).
• Reliable bundled module bootstrap into user/project scopes:
  • user: ~/.specfact/modules
  • project: <repo>/.specfact/modules
• Discovery/install/uninstall consistency with explicit scope targeting and conflict protection.
• Bundled module install support (subset install) and list visibility for bundled-not-installed modules.
• Startup freshness checks for bundled modules (version-change + daily cadence hints).
• Security hardening:
  • denylist enforcement
  • trust gate for non-official publishers
  • full-module payload checksum/signature verification
  • signing + verification scripts and CI wiring with encrypted-key passphrase support
  • version-bump enforcement before signing/verification
• Docs/OpenSpec updates for module paths, lifecycle flow, signing, verification, and versioning gates.
• Version bumped to 0.37.0 with changelog updates.

Fixes #298

New Features #298

Contract References: No new public contract surface introduced beyond existing module lifecycle and installer APIs; behavior changes are covered by added/updated unit tests and OpenSpec deltas.

Type of Change

Please check all that apply:

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📚 Documentation update
• 🔒 Contract enforcement (adding/updating @icontract decorators)
• 🧪 Test enhancement (scenario tests, property-based tests)
• 🔧 Refactoring (code improvement without functionality change)

Contract-First Testing Evidence

Required for all changes affecting CLI commands or public APIs:

Contract Validation

• Runtime contracts added/updated (@icontract decorators on public APIs)
• Type checking enforced (@beartype decorators applied)
• CrossHair exploration completed: hatch run contract-test-exploration
• Contract violations reviewed and addressed

Test Execution

• Contract validation: hatch run contract-test-contracts ✅
• Contract exploration: hatch run contract-test-exploration ✅
• Scenario tests: hatch run contract-test-scenarios ✅
• Full test suite: hatch run contract-test-full ✅

Test Quality

• CLI commands tested with typer test client
• Edge cases covered with Hypothesis property tests
• Error handling tested with invalid inputs
• Rich console output verified manually or with snapshots

How Has This Been Tested?

Contract-First Approach: OpenSpec deltas/tasks/TDD evidence were updated first, then targeted failing-to-passing tests and verification scripts for module lifecycle/security paths.

Manual Testing

• Tested CLI commands manually
• Verified rich console output
• Tested with different input scenarios
• Checked error messages for clarity

Automated Testing

• Contract validation passes
• Property-based tests cover edge cases
• Scenario tests cover user workflows
• All existing tests still pass

Test Environment

• Python version: 3.12 (hatch env)
• OS: Ubuntu (Linux)

Checklist

• My code follows the style guidelines (PEP 8, ruff format, isort)
• I have performed a self-review of my code
• I have added/updated contracts (@icontract, @beartype)
• I have added/updated docstrings (Google style)
• I have made corresponding changes to documentation
• My changes generate no new warnings (basedpyright, ruff, pylint)
• All tests pass locally
• I have added tests that prove my fix/feature works
• Any dependent changes have been merged

Quality Gates Status

• Type checking ✅ (hatch run type-check)
• Linting ✅ (hatch run lint)
• Contract validation ✅ (hatch run contract-test-contracts)
• Contract exploration ✅ (hatch run contract-test-exploration)
• Scenario tests ✅ (hatch run contract-test-scenarios)

Screenshots/Recordings (if applicable)

N/A (CLI behavior changes documented in examples/help output and tests).