fix: harden paper evidence and release provenance

[magnaquant]

Summary

• fail closed on incomplete paper price matrices and tracked raw inputs
• align canonical target-tape schema and runtime validation for JSON primitives, RFC 3339 timestamps, symbols, non-negative weights, and binary64 numeric limits
• keep cross-record portfolio invariants in runtime validation and add a scoped schema/runtime acceptance matrix
• round-trip every paper decision stream through the versioned payload boundary and publish canonical payload hashes
• fingerprint the release wrapper itself and harden the two-commit paper release workflow
• strengthen repository data-policy and claim-to-evidence regression tests

Artifact integrity

• clean source commit: ef6e7e3414aed0ae9b77d50748a22823529486af
• artifact commit: 9fda3da04733d439ef5451b3d8dfd63d4d000a09
• manifest schema v5 records the clean source commit and worktree_clean_at_start: true
• all 12 economic CSVs, all six figures in PDF and PNG, all 10 report charts, and all four target-payload hashes are byte-identical to the prior reviewed release
• headline results are unchanged: net CAGR 1.40%, Sharpe -0.15; costed comparator CAGR 5.72%, Sharpe 0.62; active CAGR -4.14% with 95% interval [-6.70%, -1.63%]
• public PDF SHA-256: 59fcd30467d449984118d746417d810757d32fbceb72af25d0d4a84a65203000
• anonymous PDF SHA-256: 3bf902d420224032fa11492ddb4f8d3b636972f4a3d7740e4b7aef4bbf8484ff

Verification

• 435 passed; package coverage 67.75%
• ruff check .
• poetry check; all exported dependency locks match
• sdist and wheel build successfully
• all 28 paper artifact hashes and both JSON schemas verify
• deterministic Tectonic rebuild reproduces both PDF hashes exactly
• final artifact-commit release rerun changes zero tracked files
• all 20 public and 20 anonymous PDF pages visually inspected; anonymous identifier scan clean