Add project provisioning baseline guard

[HunterCML]

/claim #11

Summary

• Adds project-provisioning-baseline-guard/, a focused User & Project Management slice for safe project creation before a workspace is opened.
• Validates requester authority, verified institution/profile evidence, fresh MFA, required metadata, template controls, visibility by data classification, initial owner/data-steward roles, object-level grants, external collaborator constraints, and immutable audit evidence.
• Emits deterministic JSON/Markdown/SVG reviewer artifacts plus a committed MP4 demo.

Demo and artifacts

• project-provisioning-baseline-guard/demo.mp4
• project-provisioning-baseline-guard/demo.svg
• project-provisioning-baseline-guard/reports/provisioning-baseline-packet.json
• project-provisioning-baseline-guard/reports/provisioning-baseline-report.md
• project-provisioning-baseline-guard/reports/summary.svg

Validation

• node project-provisioning-baseline-guard/test.js
• node project-provisioning-baseline-guard/demo.js
• node project-provisioning-baseline-guard/render-video.js
• node --check project-provisioning-baseline-guard/index.js
• node --check project-provisioning-baseline-guard/test.js
• node --check project-provisioning-baseline-guard/demo.js
• node --check project-provisioning-baseline-guard/render-video.js
• ffprobe -v error -show_entries format=duration,size -show_entries stream=codec_name,width,height -of default=noprint_wrappers=1 project-provisioning-baseline-guard/demo.mp4 -> H.264, 1280x720, 8.4s, 99,909 bytes
• git diff --check
• git diff --cached --check

Synthetic data only. No credentials, private user/project data, OAuth, SAML, ORCID, identity-provider calls, live projects, production access-control systems, or external APIs are used.