docs(trust): add trust & security landing page for CISOs (#2817)

[bokelley]

Closes #2817

Adds docs/trust.mdx — a landing page for CISOs, compliance reviewers, and procurement teams evaluating an AdCP deployment. A previous attempt (PR #2814) was withdrawn for overclaiming what the protocol enforces. This PR uses the honest framing from the issue brief: AdCP separates decisions so no single agent can act unilaterally, and makes every decision cryptographically re-verifiable — but it does not enforce policy; deployers do, through the seams the protocol provides.

Six trust pillars (governance, regulatory, privacy, security, provenance, disclosure) each have a "What AdCP provides" and "What AdCP does not provide" section with links to canonical pages. A compliance reviewer quick-reference table lists the wire-level hooks.

Non-breaking justification: Adds a new doc page and two nav entries in docs.json. No existing pages, schemas, or server code modified. Existing consumers unaffected.

Accuracy from the issue brief — verified in pre-PR review:

• RFC 9421 stated as baseline for signed requests and webhook deliveries (not HMAC)
• AdCP Verified correctly stated as self-attested in 3.0; formal program launches in 3.1
• check_governance described as a seam, not an enforcer
• Key-transparency gap noted per known-limitations.mdx lines 43–44

Nav placement: docs/trust inserted in both the 3.0 (default) and latest versions of docs.json. In 3.0, it's a flat entry alongside docs/faq and docs/ai-disclosure. In latest, it joins the "FAQ" group where those pages already live — this asymmetry mirrors the existing nav structure for those two pages and is intentional.

Nit (not fixed): The latest version places the entry inside a "FAQ" group while 3.0 uses a flat entry. This mirrors the existing behavior of docs/faq and docs/ai-disclosure in those two nav versions; aligning them is a separate nav-refactor decision.

Pre-PR review:

• code-reviewer: approved — one nit (changeset typo fixed), nav asymmetry noted as existing behavior
• docs-expert: approved after fixing two blockers: (1) wrong link for audit logs (fixed to /docs/governance/campaign/tasks/get_plan_audit_logs); (2) webhook signing not described — added RFC 9421 + HMAC opt-in to the security pillar's "What AdCP provides" list

Triage-managed PR. This bot does not currently iterate on
review comments or PR conversation threads (only on the source
issue). To unblock:

• Push fixup commits directly: gh pr checkout <num> →
  fix → push.
• Or re-trigger: comment /triage execute on the source
  issue.

See #3121
for context.

Session: https://claude.ai/code/session_01AUdNdAX8DoatPcvPhmVS2t

---

Generated by Claude Code