feat: upgrade SAFE-UC-0025 (Enterprise agent-building platform) to draft

[arjunastha]

Summary

Promotes SAFE-UC-0025 from seed to full draft. Covers the platform-of-platforms layer where enterprise customers build, deploy, govern, and operate their own AI agents — distinct from runtime-agent UCs.

Changes

• Evidence: 10 verified public citations (regulator primaries, vendor first-party docs, three precision-framed incident disclosures, AI Incident Database)
• §7: 7-stage kill chain with three stages explicitly annotated NOVEL vs. sibling UCs 0018 / 0011 / 0021 / 0022 / 0024 / 0008: (a) catalog-level tool poisoning, (b) evaluation-harness bypass, (c) cross-tenant observability leakage
• §8: SAFE-MCP mapping across 24 techniques across 11 of 14 SAFE-MCP tactics — broadest tactical footprint of any UC in the registry. Framework gap note covers SAFE-MCP IDs that don't yet exist for catalog-level / harness-bypass / cross-tenant-observability scopes.
• Framework crosswalk: NIST AI RMF (Govern.6 third-party) + AI 600-1 + SP 800-218A SSDF GenAI Profile, EU AI Act Article 25 (provider vs deployer routing, applies 2 August 2026) + Article 50, OWASP LLM Top 10 2025 (LLM03 supply chain + LLM07 system prompt leakage as primary), ISO 42001 Annex A.10 third-party AI components, ISO 23894, OpenSSF SLSA, CSA MAESTRO (February 2025), MITRE ATLAS
• Incident citations precision-framed: Tenable TRA-2024-32 Copilot Studio SSRF (CVE-2024-38206, CVSS 8.5, no confirmed cross-tenant exfil); Noma ForcedLeak Salesforce Agentforce (CVSS 9.4, disclosed Sept 25 2025, patched Sept 8 2025); Aim Security EchoLeak (CVE-2025-32711, CVSS 9.3, M365 Copilot runtime — explicitly distinguished from Copilot Studio platform); AI Incident DB #1152 Replit AI agent destroyed prod DB during code freeze (operational failure, not breach)
• Appendix B: 6-subsection form (SAFE-MCP techniques / frameworks / incidents / safeguards / vendor-product patterns) — uses the optional vendor-product slot given platform-of-platforms vendor density
• Coined new workflow_family "Enterprise agent platforms & multi-tenant agent build" to distinguish from runtime-agent UCs
• Crosswalk: status seed → draft; maturity added; NAICS expanded with 513210 (Software Publishers); 18 tags
• Root README index row: Seed → Draft

Citation accuracy

All 80 URLs independently live-verified in Phase 2 before commit (57 verification calls total). Tier coverage: 100% Tier A (regulators, standards bodies, government) / Tier B (vendor first-party docs, security-vendor disclosures, university research) / Tier C (reputable journalism with corroboration). Zero Tier D citations.

Precision-critical facts verified: SAFE-T1402 "Stenography" typo preserved verbatim; CVSS values correct (Tenable 8.5, ForcedLeak 9.4, EchoLeak 9.3); EU AI Act Article 25 effective date (2 August 2026, future); Replit AIID #1152 framed as operational failure not breach; M365 Copilot vs Copilot Studio distinction explicit; vendor rebrands annotated (Vertex AI Agent Builder → Gemini Enterprise Agent Platform; Mosaic AI Gateway → Unity AI Gateway; Claude Code SDK → Claude Agent SDK).

Safety attestation

No exploit steps, no sensitive information, defender-friendly throughout. Voice-drift scan returned 0 DRIFT hits — every `must` / `required` / `mandatory` falls into the hard-safety whitelist (tenant isolation, write-back gating, regulatory verbatim surfacing, attribution to human principal), factual-regulatory (quoting EU AI Act Article 25 verbatim), or structural template-inherited usage.

Requesting DSO review per CONTRIBUTING.md.