P2.1: address review — harden artifact validation, release/artifact fields

- validate_artifact: add empty content_type -> MissingField; size_bytes <= 0
  -> new BadSize; sha256 not exactly 64 lowercase-hex -> new BadDigest (via
  validate_sha256). The valid fixture (64-hex sha, positive size, non-empty
  content_type) stays accepted.
- Release: rename updated_at -> published_at (published_at = 0 means draft).
  Final order: id, app_id, version, build, channel, notes, created_by,
  created_at, published_at.
- Artifact: add opaque metadata: string before validation_status.
- tests: add empty-content_type/MissingField, bad-size/BadSize,
  malformed-sha256/BadDigest cases and contract pins reading back
  Release.published_at and Artifact.metadata.

PO-ruled out of scope and NOT added: Token model, in-memory repository (P2.3).

src/domain/artifact.sx

@@ -10,8 +10,9 @@ ValidationStatus :: enum u8 {
 }
 
 // A single uploaded binary belonging to a release, for one platform.
-// `sha256` is the lowercase hex digest; `storage_key` locates the bytes
-// in the blob store.
+// `sha256` is the lowercase-hex content digest; `storage_key` locates the
+// bytes in the blob store. `metadata` is an opaque string (mirroring
+// AuditEvent.metadata) carrying per-artifact data the manifest emits later.
 Artifact :: struct {
     id: string;
     app_id: string;
@@ -22,5 +23,6 @@ Artifact :: struct {
     size_bytes: s64;
     sha256: string;
     storage_key: string;
+    metadata: string;
     validation_status: ValidationStatus = .pending;
 }