feat(security): make pack checksums mandatory at registry schema version 2

[breferrari]

Context

PR #240 introduced optional SHA-256 checksum verification for pack content. Currently, checksums are verified when present but missing checksums only produce a warning (backward compatibility during rollout). This leaves a downgrade attack vector (SEC-1): a compromised registry could strip or replace checksums to bypass verification entirely.

Proposal

Once all registry packs have checksums (after PackWeave/registry#4 merges):

1. Bump CURRENT_REGISTRY_SCHEMA_VERSION to 2
2. Make checksum: None a hard error on install/update — packs without checksums are rejected
3. Make unknown algorithm prefixes (non-sha256:) a hard error with a clear "please upgrade weave" message
4. Update the verify() function in src/core/checksum.rs to enforce these rules when registry schema >= 2

Why not now?

The registry is being migrated — old packs don't have checksums yet. Making them mandatory before migration completes would break all installs. This must wait until all published pack versions carry checksums.

Acceptance criteria

• checksum::verify() returns Err (not Ok with warning) for None checksums when registry schema >= 2
• Unknown algorithm prefixes return Err with upgrade hint
• CURRENT_REGISTRY_SCHEMA_VERSION bumped to 2
• Existing tests updated for new behavior
• ARCHITECTURE.md schema versioning section updated