Add TrustOps ART runner smoke slice

[mdheller]

Summary

Adds the first runtime slice for TrustOps Fabric: a thin trustops-art-runner app that consumes a functional service manifest and emits a deterministic synthetic trustops-receipt.v1 robustness receipt.

This is intentionally not a full ART integration yet. ART remains an isolated provider backend. This PR proves the Prophet Platform seam first: manifest input, receipt output, policy decision shape, evidence refs, ledger action, and guardrail action.

Upstream standards PR: SocioProphet/functional-model-surfaces#9
Tracking issue: #398

Added

• apps/trustops-art-runner/README.md
• apps/trustops-art-runner/src/trustops_art_runner/receipt.py
  • deterministic synthetic art-smoke receipt builder
  • data-boundary invariant: rawDataExported=false
  • ledger and guardrail action hints
• apps/trustops-art-runner/src/trustops_art_runner/cli.py
  • python3 -m trustops_art_runner.cli run --profile art-smoke ...
• apps/trustops-art-runner/examples/functional-service.demo.json
• apps/trustops-art-runner/tests/test_receipt.py
• apps/trustops-art-runner/Makefile
  • app-local validate, test, and smoke targets

Validation

App-local validation target:

cd apps/trustops-art-runner
make validate

This installs only pytest for unit tests and does not install ART. The full ART-backed adversarial profile should be added behind the same receipt and CLI surface in the next slice.

Design boundary

• No platform core package imports ART directly.
• The runner emits normalized TrustOps receipts, not provider-specific Python objects.
• The synthetic backend is a contract/control-plane seam, not a claim of production adversarial coverage.
• Production promotion still requires a full ART-backed robustness profile and ledger/guardrail ingestion.