feat: disclose agent-assisted production

[tomjwxf]

Summary

Adds an optional project-level agent-assisted-production disclosure field with a deliberately small, vendor-neutral shape:

project:
  agent-assisted-production:
    used: true
    governance-declaration: https://example.com/.well-known/agent-governance

The field lets a project disclose whether automated agents are used in production workflows and, if useful, point readers to a project-maintained governance declaration.

Design choices

• Project-level first, because agent-assisted production often spans multiple repositories and workflows.
• Optional and backward-compatible.
• Does not prescribe a specific receipt format, policy engine, attestation framework, or vendor.
• Framework-specific details stay behind the optional governance-declaration URI.

Validation

• go run cuelang.org/go/cmd/cue@latest vet -d '#SecurityInsights' ./spec examples/example-full.yml
• go run cuelang.org/go/cmd/cue@latest vet -d '#SecurityInsights' ./spec examples/example-agent-assisted-production.yml

Context: follows discussion in #171.

[aeoess]

Confirming the v0.1 shape matches what we landed on in #171: project-level scope, schema-neutral on format, framework-specific content lives behind the optional governance-declaration URI.

APS publishes the equivalent surface at https://aeoess.com/.well-known/aps.txt (signed JSON-LD: publisher DID, default terms, revocation policy, MCP endpoint, path overrides). The URI stays stable while format and policy details evolve underneath, which is the property the SI side wanted from a forward-compatible field.

Reads clean from the implementer side.