Clarify release integrity boundaries

[GsCommand]

Motivation

• Remove ambiguity about what the repository considers part of the checksum-protected release to make the integrity story defensible to a skeptical reviewer.
• Eliminate a decorative/external manifest $schema reference that implied an external authoritative validation step which is not enforced.
• Make meta/docs explicitly state their applicability (repo-wide, current-line, or active-line) so readers do not guess which policy applies to a release.

Description

• Chose Option A: checksums cover only canonical machine artifacts and enforced that in tooling and prose by limiting the checksum surface to schemas/v1.1.0/, examples/v1.1.0/, and manifest.json and documenting that decision in README.md, SPEC.md, POLICY.md, SECURITY_PROVENANCE.md, and ONBOARDING.md.
• Removed the decorative $schema field from manifest.json and tightened scripts/validate-all.mjs to assert the absence of a $schema field and to check manifest fields such as current_index and checksums_file directly.
• Hardened scripts/generate-checksums.mjs to parameterize the current version, assert that only the intended machine-artifact files are collected, and fail if unexpected targets are found, and regenerated checksums.txt.
• Added concise applicability language to GOVERNANCE.md, POLICY.md, COMPLIANCE.md, SECURITY.md, and ONBOARDING.md so each meta document signals whether it is repo-wide, current-line general, or active-line specific.

Testing

• Ran npm run generate:checksums and the script successfully wrote the new checksum ledger for the current-line machine artifacts.
• Ran npm run validate (which runs validate:schemas and validate:examples) and it passed with the strengthened manifest checks.
• Ran npm run validate:examples separately and it passed for all verbs.
• Verified checksums with sha256sum -c checksums.txt and all entries checked OK.

---

Codex Task