feat: upgrade SAFE-UC-0002 (Personalized shopping sidekick) to draft

[arjunastha]

Summary

Promotes SAFE-UC-0002 from seed to full draft. First retail use case in the SAFE-AUCA registry, opening NAICS 44-45.

Changes

• Evidence: 10 verified public citations (FTC Reviews Rule, Endorsement Guides, Operation AI Comply, Click-to-Cancel, DSA, Moffatt v Air Canada, Greshake et al, Mathur et al, Amazon Rufus launch)
• §7: 6-stage baseline-shape kill chain (after four consecutive expanded drafts at 0008, 0021, 0025, 0030) with two stages explicitly annotated NOVEL vs sibling UCs: sponsor-disclosure transparency at S2, purchase-as-write-back gating at S4
• §8: SAFE-MCP mapping across 14 techniques within the 12 to 15 baseline target
• Framework crosswalk: NIST AI RMF, NIST AI 600-1, OWASP LLM Top 10 2025, MITRE ATLAS, EU AI Act Article 50, FTC Reviews Rule (16 CFR Part 465 effective 21 October 2024), FTC Endorsement Guides (16 CFR Part 255 revised June 2023), FTC Click-to-Cancel Rule (16 CFR Part 425 amended October 2024), ROSCA, CFPB Circular 2023-01, California ARL with AB 2863, DSA Articles 25/27/28 with Commission July 2025 Guidelines, COPPA 2025 amendments, CCPA/CPRA ADMT regulations finalised 23 September 2025, PCI DSS 4.0.1
• Incident citations precision-framed: Moffatt v Air Canada (2024 BCCRT 149, 14 February 2024, $812 CAD), Chevy Tahoe prompt-injection demo (December 2023), FTC Operation AI Comply (25 September 2024), FTC v Amazon Prime (21 June 2023 filing), FTC v Adobe (June 2024), EU Commission v Temu (31 October 2024), EU Commission v Shein (16 February 2026), TechCrunch independent Rufus review (5 March 2024), Bloomberg Klarna AI-to-human reversal (8 May 2025), Greshake et al indirect prompt injection (arXiv 2302.12173), Mathur et al dark patterns at scale (Princeton CSCW 2019)
• Appendix B uses 6-subsection form (SAFE-MCP techniques / frameworks / incidents / safeguards / domain-regulatory / vendor product patterns) given the dense vendor and regulatory landscape
• Coined new workflow_family "Consumer retail and shopping assistants"
• Crosswalk: status seed to draft; maturity added; 18 tags
• Root README index row: Seed to Draft

Citation accuracy

All 69 URLs independently live-verified in Phase 2 before commit (54 verification calls total). Tier coverage: 100 percent Tier A (28 URLs: regulators, judicial, government, standards) or Tier B (36 URLs: vendor first-party, GitHub canonical, arxiv, MITRE, OWASP, AI Incident Database) or Tier C (3 URLs: TechCrunch Rufus review, Bloomberg Klarna reversal, CBC Air Canada, all corroborated to Tier A or B). Zero Tier D citations.

Precision-critical facts verified: SAFE-T1402 "Stenography" typo preserved verbatim; FTC Reviews Rule (16 CFR Part 465) effective 21 October 2024 distinct from Endorsement Guides (16 CFR Part 255 revised June 2023); FTC Click-to-Cancel Rule October 2024 amends 16 CFR Part 425 Negative Option Rule (separate from Reviews Rule); California ARL 2024 amendment is AB 2863 (signed 24 September 2024, effective 1 July 2025), not AB 390; CFPB Circular 2023-01 dated 19 January 2023; Moffatt v Air Canada is BCCRT (Civil Resolution Tribunal), $812 CAD total, negligent misrepresentation; Chevy Tahoe prompt-injection demo by Chris Bakke December 2023 (not fraud, not enforceable sale); FTC v Amazon Prime June 2023 cited as the lawsuit filing; EU AI Act Article 50 applies from 2 August 2026; DSA Article 28 Guidelines published 14 July 2025; CPPA finalized ADMT regulations approved 23 September 2025 in force 1 January 2027.

Safety attestation

No exploit steps, no sensitive information, defender-friendly throughout. Voice-drift scan returned 0 DRIFT. Em-dash scan returned 0 hits after two targeted rewords in §7 kill-chain table headings. Drafted under the no-em-dash human-technical-writer voice rule. Every must, required, mandatory hit falls into the hard-safety whitelist (HITL gating, regulatory verbatim surfacing, attribution to human principal), factual-regulatory (quoting law verbatim), or structural template-inherited usage.

Requesting DSO review per CONTRIBUTING.md.