Add model adapter composition evidence gates

[Peter7896]

Summary

• Upgrades model-supply-chain to v1.1.0 with adapter-composition evidence gates for LoRA, QLoRA, PEFT, merged releases, and runtime adapter activation.
• Adds release evidence for base model, adapter, tokenizer/config, prompt template, merge tool, output digest, runtime allowlist, packaged-adapter inventory, and evaluation binding.
• Adds benign and vulnerable JSON fixtures for pinned compositions, merged release manifests, floating base models, runtime adapter switching, missing merge digests, and unapproved packaged adapters.

Related issue

Closes #1278

Validation

• git diff --check
• git diff origin/main..HEAD --check
• Frontmatter required-field check for model-supply-chain/SKILL.md
• JSON parse check for added fixtures
• Markdown fence-balance check
• ASCII check for touched files
• Prompt-injection pattern scan on added diff lines
• Public identity hygiene scan on added diff lines
• Marker coverage check for LoRA, QLoRA, PEFT, adapter_config.json, base_model_name_or_path, PeftModel, load_adapter, set_adapter, active_adapter, merge_and_unload, adapter_model, Composition Digest, runtime allowlist, packaged adapter inventory, Not Evaluable, tokenizer, prompt template, and evaluation binding