Add TRACaBot

[brxtrac]

What this PR does

Adds TRACaBot, a live Telegram anti-scam service and OpenClaw-compatible agent that writes evidence-backed moderation artifacts to DKG v10 Shared Memory for cross-community fraud defense.

Integration links

• Repo: https://github.com/brxtrac/tracabot
• Commit pinned: 6741e649c5be43c05da09585846af4fefce4b76a
• Published package: tracabot@0.1.0
• Design brief (bounty submissions): https://github.com/brxtrac/tracabot/blob/6741e649c5be43c05da09585846af4fefce4b76a/docs/DESIGN_BRIEF.md
• Demo (bounty submissions): https://github.com/brxtrac/tracabot/blob/6741e649c5be43c05da09585846af4fefce4b76a/docs/DEMO.md

Scope & faithfulness

• Integration uses only the supported public interfaces (HTTP API, dkg CLI, MCP). It does not import internal DKG packages, patch node source, or write to SPARQL directly (bypassing the assertion lifecycle / Curator).
• memoryLayers correctly reflects which layer(s) the integration touches.
• v10PrimitivesUsed correctly reflects which primitives are exercised.
• Terminology matches the v10 vocabulary (Context Graph, Sub-graph, Assertion, Knowledge Asset, Knowledge Collection, Curator, Entity, WM/SWM/VM).

Security declarations (Section 8a)

• security.networkEgress lists every external host the integration contacts beyond the local DKG node.
• security.writeAuthority lists every DKG write operation the integration performs. Curator-authority ops (PUBLISH, SHARE, endorse, verify) are called out explicitly if used.
• security.credentialsHandled lists every third-party credential the installer will prompt for.
• The published package has no preinstall / install / postinstall scripts, or the exceptions are explained in security.notes.
• The package is published with build provenance (npm publish --provenance) when applicable.
• The pinned git SHA is the exact commit the published package was built from.

Contributor attestation

• This integration is my own work or properly licensed.
• It contains no intentional backdoors, malicious logic, or data-exfiltration paths beyond what is declared in security.networkEgress.
• I understand that the integration may be delisted for any material misrepresentation in the registry entry.
• I commit to a minimum 6-month maintenance window post-acceptance (bounty submissions).

Notes for the committee

TRACaBot is already deployed as @tracethembot; the demo link points to the repeatable live walkthrough and verification script. npm publish --provenance was attempted, but npm reported Automatic provenance generation not supported for provider: null in this non-CI shell, so tracabot@0.1.0 was published without provenance. Local verification passed: npm test (102/102), npm run test:commands, npm audit --omit=dev, and this registry's npm run validate.