Add enterprise style package provenance guard

[AlonePenguin]

@algora-pbc /claim #19

Summary

• Adds a distinct enterprise-style-package-provenance-guard/ module for the Enterprise Tooling export-pipeline requirement.
• Validates journal/funder formatting style packages before institution-scale JATS, DOCX, and LaTeX exports are released.
• Checks approved plugin versions, template checksum parity, citation-style parity, DOI/ORCID/version-history preservation, validation freshness, reviewer signoff, export-format coverage, generated-output provenance digests, and private style-preview field leakage.

Non-overlap

This avoids existing #19 slices for broad dashboards, webhooks/replay/delivery/redaction, SSO/SCIM, LMS roster/passback, repository sync/deposit reconciliation, API rate limits, vendor DPA, cohort privacy, incident response, admin alerts, retention, quota, data residency, and generic export approval. It focuses only on formatting-plugin and style-template provenance before enterprise export release.

Validation

• npm --prefix enterprise-style-package-provenance-guard run check
• npm --prefix enterprise-style-package-provenance-guard test
• npm --prefix enterprise-style-package-provenance-guard run demo
• npm --prefix enterprise-style-package-provenance-guard run verify-video
• git diff --cached --check -- enterprise-style-package-provenance-guard
• ASCII and restricted-string scans over enterprise-style-package-provenance-guard returned no findings

Demo artifact: enterprise-style-package-provenance-guard/reports/demo.mp4 (H.264, 960x540, 4s, 18fps).

Attempt registered in issue #19: #19 (comment)

Synthetic data only. No live repositories, journal systems, funder portals, credentials, private manuscripts, external APIs, payment systems, payout accounts, or external services are used.