Fix audit: record v1.0.0 historical release, mark v1.1.0 pre-release, update docs and scripts

[GsCommand]

Motivation

• Record the last pinned canonical release machine-readably and keep v1.1.0 clearly marked as an in-repo pre-release candidate to preserve provenance and avoid accidental promotion.
• Make onboarding/governance/security docs consistent with the current release-state model and avoid implying legacy x402/trace assumptions apply to v1.1.0.
• Ensure developer tooling scans all schema versions, produces checksums in the canonical text format, and avoid misleading contributors with a TODO manifest generator.

Description

• Update manifest.json to keep v1.1.0 as the active in-repo schema family, mark its CID as pending/pre-release, and add a machine-readable historical_releases entry for v1.0.0 including schemas_root, pinned schemas_cid, examples_root, and per-verb legacy schema paths.
• Add a v1.1.0 resolution entry to RESOLUTION.md (date inferred from repo history: 2026-03-18) with class: Commons, all 10 verbs, action: Revised, the requested reason text, resolution/status noting pre-release candidate + CID pending, and approver: Founding Steward.
• Update docs: replace POLICY.md references with SCHEMAS.md and clarify onboarding wording to avoid implying x402/trace apply to v1.1.0, and clarify that v1.0.0 is the locked canonical release while v1.1.0 is the active in-repo pre-release candidate in ONBOARDING.md, GOVERNANCE.md, and SECURITY.md.
• Tooling changes: make scripts/find-union-types.mjs scan the full schemas/ tree, update scripts/generate-checksums.mjs to default to schemas/, align output with the repository's checksums.txt text-mode format, and add a clear comment noting the shell script is the canonical generator; replace scripts/build-manifest.mjs TODO with an explicit non-functional stub that exits non-zero and documents it is not the canonical manifest generator to avoid misleading contributors.

Files changed: manifest.json, RESOLUTION.md, ONBOARDING.md, GOVERNANCE.md, SECURITY.md, scripts/find-union-types.mjs, scripts/generate-checksums.mjs, and scripts/build-manifest.mjs.

Notes / intentional scope limits: no schema files or example files were modified, checksums.txt and the canonical shell checksum generator scripts/generate-checksums.sh were left intact, and scripts/build-manifest.mjs remains intentionally non-functional to avoid creating an unofficial authoritative generator.

Unresolved design decision: the manifest now uses a historical_releases array for machine-readable history which is consistent with the edits but not yet formalized as a manifest schema (left for maintainers/governance to standardize).

Testing

• Ran npm run validate (which runs schema compilation and example validation) and it completed successfully.
• Ran npm run checksums:verify and all checked entries for both v1.0.0 and v1.1.0 returned OK.
• Ran node scripts/find-union-types.mjs, which executed and reported union-type constructs found in the repository (output surfaced to developers for follow-up).
• Ran the Node checksum helper node scripts/generate-checksums.mjs schemas <tmpfile> and diff -u checksums.txt <tmpfile> to verify parity with the canonical checksums.txt, and the diff was clean.
• Ran node scripts/build-manifest.mjs and confirmed it exits non-zero with an explicit message stating it is not wired into the release workflow (expected behavior).

---

Codex Task