feat: Add inter-package version compatibility matrix and runtime validation

[imran-siddique]

Problem

Five packages (agent-os-kernel v2.0.2, agentmesh-platform v2.0.2, agent-sre v1.1.2, ai-agent-compliance v1.0.2) have independent version numbers. Dependencies use only minimum version constraints (e.g., agent-os-kernel>=1.0.0) with no upper bounds.

A team running agent-os-kernel v2.1 against agentmesh-platform v2.0 has no guarantee the trust handshake protocol is compatible, and no tooling to detect the mismatch.

Evidence from Code Audit

• ai-agent-compliance pins: agent-os-kernel>=1.0.0, agentmesh-platform>=1.0.0 — no upper bounds
• agentmesh pins: agent-os-kernel[nexus,iatp]>=1.2.0 — no upper bound
• No compatibility matrix, no runtime version negotiation
• The unified installer ai-agent-compliance[full] doesn't enforce cross-package compatibility

Proposed Solution

1. Compatibility matrix: Machine-readable compatibility.json mapping tested version combinations
2. Runtime version check: On import, each package checks peer package versions against known-compatible ranges and warns on skew
3. Strict optional pinning: Add upper-bound pins (e.g., >=2.0.0,<3.0.0) for cross-package deps
4. CI matrix testing: Test all supported version combinations in CI
5. governance-doctor CLI command: Validates installed versions against compatibility matrix

Acceptance Criteria

• compatibility.json with tested version pairs
• Runtime warning on version skew at import time
• Upper-bound version constraints in pyproject.toml
• python -m agent_os doctor reports version compatibility
• CI tests at least (latest, latest-1) version matrix

/cc @imran-siddique

[imran-siddique]

PR #85 adds compat.py with a machine-readable compatibility matrix, doctor() for environment validation, and check_compatibility() for pair-wise version checking. 16 tests pass. For CI matrix testing (testing version combinations), that would be a follow-up.