feat: add governance boundary detector prototype

[tomjwxf]

Summary

This adds a reversible governance-boundary prototype for #1012.

The new gitnexus governance [path] command scans a repository for governance/config surfaces and sensitive operation paths, then emits both:

• a human-readable agent-context report
• a JSON report with an advisory graph patch

The graph patch deliberately uses existing CodeElement nodes plus DEFINES and USES relationships, so the prototype does not require a schema migration or new first-class node labels.

What it detects

Governance surfaces:

• .mcp.json, .mcp.jsonc, mcp.json
• surfaces.yaml, surfaces.yml, .surfaces.yaml
• *.cedar
• .veritasacta/, veritasacta.config.json
• .scopeblind/, protect-mcp.config.json
• agent-governance.json, .agent-governance.json, paths containing agent-governance

Sensitive operations:

• network calls (fetch, Axios, Python HTTP clients, sockets, Node HTTP/TLS/net)
• process execution (exec, spawn, child_process, Python subprocess/os execution)
• filesystem writes
• environment/secret access

Why this shape

This is intentionally advisory. It gives agents governance-relevant context before they edit sensitive code, while leaving enforcement to the runtime hook, policy engine, gateway, or CI job that owns the boundary.

Validation

• npx vitest run test/unit/governance-detector.test.ts
• npx tsc --noEmit in gitnexus
• npm run build in gitnexus
• npm run lint at repo root exits 0; existing repo warnings remain
• smoke-tested node gitnexus/dist/cli/index.js governance . --max-files 400

[vercel]

@ZeroXLauren is attempting to deploy a commit to the NexusCore Team on Vercel.

A member of the Team first needs to authorize it.