contracts: harden artifact and extension boundaries

[RyshMan]

Problem

• scan-owned and evidence-managed paths still relied on static marker bodies, which made forged markers a weak authorization signal for destructive reuse
• wrkr scan could fail late after mutating managed artifacts, leaving mixed generations of state, proof, manifest, and sidecar outputs on disk
• wrkr campaign aggregate accepted generic status=ok JSON instead of only complete wrkr scan --json artifacts
• repo-local extension findings were still being promoted into authoritative inventory and regress surfaces by default

Changes

• introduce state-bound managed marker payloads and apply them to materialized scan roots, evidence output dirs, and org checkpoint roots
• make scan-managed artifact publication transactional with rollback on late failures
• tighten campaign artifact validation to require the expected scan contract objects and arrays
• keep extension detector output on additive finding/risk surfaces by default, with regression, scenario, and boundary coverage updates
• refresh command/trust docs, changelog notes, and product/PLAN_NEXT.md to match the hardened behavior

Validation

• make prepush-full