feat: add HO-DET-001 SOCaaS pilot receipt flow

[raylee-hawkins]

Summary:

• Adds the scoped HO-DET-001 SOCaaS pilot receipt-flow layer.
• Connects detection intent, robustness/decomposition, validation evidence, deterministic checks, triage-support boundaries, proof receipt wording, and customer-safe claim language.
• Keeps the proof ceiling at CONTROLLED_TEST_VALIDATED.

Scope:

• HO-DET-001 only.
• Receipt/reviewer/customer-safe metadata and documentation only.
• No detection matching logic changes.
• No SPL changes.
• No runtime-active, signal-observed, production/customer deployment, public-safe runtime, AI-approved, analyst-approved, autonomous SOC, or autonomous-resolution claim.

Validation:

• git diff --check passed across scoped repos.
• Detection contract passed.
• Detection promotion matrix passed.
• HO-DET-001 validation passed: 14 cases, 7 matched positives, no missed positives, no false-positive negatives.
• Claim-boundary scan passed.
• Result parity passed.
• Triage boundary passed.
• Closed AutoSOC loop contract passed.
• Case packet contract passed.
• Platform SOAR sample verifier passed using stdlib fallback because jsonschema was unavailable.
• Proof integrity checks passed.
• Website TypeScript no-emit check passed.

Claim Boundary:

• Final ceiling remains CONTROLLED_TEST_VALIDATED.
• Rendering, proof records, and receipt language are reviewer/customer-safe explanation surfaces only.
• Human authority remains required.

[raylee-hawkins]

This PR adds the scoped HO-DET-001 SOCaaS pilot receipt-flow layer without changing detection matching logic.

The purpose is to make one detection inspectable end-to-end:

• what the detection looks for
• why it is robust or weak
• what validation evidence was used
• whether deterministic checks passed
• what triage-support boundary exists
• what receipt proves the state
• what a human can safely tell a customer

Claim boundary remains CONTROLLED_TEST_VALIDATED.

This does not claim runtime-active, signal-observed, production/customer deployment, public-safe runtime evidence, autonomous SOC, AI-approved disposition, analyst-approved disposition, or autonomous resolution.

[raylee-hawkins]

Reviewed for scoped HO-DET-001 SOCaaS pilot receipt-flow merge.

Scope confirmed:

• HO-DET-001 only.
• Receipt/reviewer/customer-safe metadata and documentation only.
• No detection matching logic change.
• No SPL change.
• Claim ceiling remains CONTROLLED_TEST_VALIDATED.

This merge does not claim runtime-active, signal-observed, production/customer deployment, public-safe runtime evidence, autonomous SOC, AI-approved disposition, analyst-approved disposition, or autonomous resolution.

Human authority remains required.