feat: upgrade SAFE-UC-0030 (Teen safety and age-assurance) to draft

[arjunastha]

Summary

Promotes SAFE-UC-0030 from seed to full draft. First SAFE-AUCA UC where the safety move is to block access (keep minors out of adult-only content) rather than to permit a regulated action carefully.

Changes

• Evidence: 10 verified public citations (UK OSA, Ofcom HEAA, EU Commission DSA Article 28 guidelines, EDPB Statement 1/2025, FTC COPPA final rule, NIST IR 8525, NY OAG Meta, FTC TikTok lawsuit, Apple Declared Age Range, Yoti white paper)
• §7: 7-stage kill chain with three stages explicitly annotated NOVEL vs sibling UCs (block-access-as-safety inversion at S2, parental-supervisor identity triangle at S5, tipping-off-constrained reporting at S6)
• §8: SAFE-MCP mapping across 24 techniques (broadest tactical footprint in the registry to date). Framework gap note covers IDs not yet published for parental-supervisor identity triangle, block-access inversion, and federated age-signal issuer compromise.
• Framework crosswalk: NIST AI RMF, NIST AI 600-1, NIST IR 8525 (May 2024), NIST SP 800-63 Rev. 4 (July 2025), ISO/IEC 27566-1:2025 (December 2025, first international age-assurance framework), OWASP LLM Top 10 (2025), MITRE ATLAS, UK OSA with Ofcom HEAA, EU DSA Article 28, EDPB Statement 1/2025, COPPA 2025 amendments, ICO Children's Code, CAADCA (partially enjoined), SCOPE Act and Utah SMRA (under partial or full injunction), KOSA (not law as of April 2026, reintroduced May 2025 in 119th Congress), GDPR Article 8, BIPA / CUBI / Washington biometric statutes
• Incident citations precision-framed: NY OAG 42-state Meta complaint (24 October 2023), FTC and DOJ TikTok lawsuit not settlement (2 August 2024, up to USD 51,744 per violation per day), Epic Games / Fortnite USD 275M COPPA + USD 245M Section 5 = USD 520M total (19 December 2022), NM AG Snap (September 2024), Texas AG Roblox (November 2025), Ofcom AVS Group GBP 1M plus GBP 50K (4 December 2025, first seven-figure HEAA enforcement), ICO TikTok GBP 12.7M (April 2023, 1.1 to 1.4 million UK under-13 users), Ninth Circuit NetChoice v. Bonta (16 August 2024)
• Appendix B uses 6-subsection form (SAFE-MCP techniques / frameworks / incidents / safeguards / domain-regulatory / vendor product patterns) given dense regulatory and vendor landscape
• Coined new workflow_family "Teen safety and online child protection"
• Crosswalk: status seed to draft; maturity added; 19 tags
• Root README index row: Seed to Draft

Citation accuracy

All 74 URLs independently live-verified in Phase 2 before commit (65 verification calls total). Tier coverage: 100 percent Tier A (regulators, standards bodies, government, judicial) or Tier B (vendor first-party docs, security-vendor disclosures, peer-reviewed research) or Tier C (reputable journalism with corroboration to Tier A or B). Zero Tier D citations.

Precision-critical facts verified: SAFE-T1402 "Stenography" typo preserved verbatim; FTC v TikTok is a lawsuit not a settlement; Epic Games December 2022 was USD 520M total; KOSA NOT LAW as of April 2026; CAADCA partially enjoined; SCOPE Act and Utah SMRA under partial or full injunction; COPPA 2025 amendments effective 23 June 2025 with compliance 22 April 2026; ISO/IEC 27566-1 published December 2025; NIST IR 8525 from May 2024 is the independent face age estimation benchmark with demographic dependence breakdown; Ofcom AVS Group GBP 1M is the first seven-figure HEAA-related enforcement.

Safety attestation

No exploit steps, no sensitive information, defender-friendly throughout. Voice-drift scan returned 0 DRIFT after three targeted rewords. Em-dash scan returned 0 hits (drafted under the new no-em-dash human-technical-writer voice rule). Every must, required, mandatory, shall hit falls into the hard-safety whitelist (tenant isolation, write-back gating, regulatory verbatim surfacing, attribution to human principal, tipping-off prohibition), factual-regulatory (quoting law verbatim), or structural template-inherited usage.

Requesting DSO review per CONTRIBUTING.md.