chore(commerce): drop "malicious merchant" rationale from canonical-api comment

The _CANONICAL_AGENTSCORE_API note explained why the URL was hardcoded in
threat-model terms ("Prevents a malicious merchant from emitting memory
pointing agents at their own phishing endpoints"). Behavior-only language
is enough; the canonical-URL choice stands without narrating the threat.

Author: vvillait88

agentscore_commerce/identity/types.py

@@ -129,9 +129,8 @@ class VerifyWalletSignerResult:
     agent_instructions: str | None = None
 
 
-# Canonical production AgentScore API — agent memory pointers are always hardcoded to this
-# value regardless of how a given merchant configured their gate. Prevents a malicious merchant
-# from emitting memory pointing agents at their own phishing endpoints.
+# Canonical production AgentScore API; agent memory pointers are always hardcoded to this
+# value regardless of how a given merchant configured their gate.
 _CANONICAL_AGENTSCORE_API = "https://api.agentscore.sh"