feat(core): decision provenance + v0.7.0 release

[requie]

Decision provenance — signed, hash-chained DecisionRecord captured at every decision boundary (pre_tool_use / stop / subagent_start) before the action executes, so a downstream verifier can prove the rationale was bound at decision time and not retrofitted. Lives in the same AttestationChain as AttestationRecord; each subsequent attestation Evidence-links the decisions that preceded it. CaptureTier discriminates how much rationale was actually captured — production today is Tier C (Minimal); Tier B/A schemas reserved for adapter-specific deliberation surfaces (Claude reasoning streams, OpenAI Responses reasoning content, etc.).

Verifiable end-to-end via python -m agentegrity verify-decisions <chain.json> or programmatically via
AttestationChain.verify_decision_links(). Capture fails open: on exception, logs a warning AND emits a structured capture_failure FrameworkEvent so monitoring can see the gap.

New symbols (all in agentegrity top-level): DecisionRecord, DecisionInput, RejectedAlternative, CaptureTier, ChainedRecord Protocol, Evidence (was previously package-internal), build_attestation_record helper, build_decision_record helper. _BaseAdapter and IntegrityMonitor gain optional signing_key= and record_decision(). AttestationChain gains to_json/from_json, verify_chain_detailed, verify_decision_links.

Backward-incompatible changes:

• AttestationRecord canonical payload now includes record_kind. Required so the heterogeneous chain can distinguish kinds under signature (otherwise a tamperer could flip a decision into an attestation post-signing).
• Evidence.content_hash is now real SHA-256 of the canonical layer-result JSON. Was process-salted Python hash() — non- deterministic across processes and non-portable, which silently broke any cross-process tamper-evident verification. Three duplicated record-build paths (adapter base, monitor, SDK client) now share one build_attestation_record() helper.
• Chains serialized pre-v0.7 fail verify_chain() after upgrade, signed or not. The in-memory recomputed content_hash (now over the new canonical bytes) doesn't match the stored chain_previous references in subsequent records. No rescue migration script: re-build from a fresh root with the new code or pin to v0.6 for legacy verification.

Release machinery:

• pyproject 0.6.0 → 0.7.0; src/agentegrity/init.py version; README badge + roadmap (v0.7 entry, v0.6 demoted from (current), v0.8 forward-looking); spec/threat-model.md version + date; STATUS last-reviewed.
• 7 @agentegrity/* npm packages bumped + @agentegrity/client peer pin bumped where present.
• Repo references renamed cogensec/agentegrity-framework → cogensec/agentegrity across 19 files (GitHub rename completed by the maintainer; old URLs redirect for now).
• CHANGELOG [Unreleased] → [0.7.0] - 2026-06-08 with new compare footer.
• _ADAPTERS list in python -m agentegrity info output now shows autogen / agno / bedrock_agents alongside the original five.

Spec at spec/properties/decision-provenance.md. Three new glossary entries: Decision Record, Capture Tier, Decision Boundary.

Test impact: +66 tests (414 → 480). mypy clean across 39 source files. ruff clean.