P2.1: domain structs + boundary validation

Add the core distribution domain model under src/domain/ (App, Release,
Artifact, Channel, AuditEvent + Platform/Visibility/ValidationStatus/
RolloutPolicy enums) and a boundary validator that returns one distinct
typed ValidationErr per failure class (BadSlug, EmptyVersion, BadVersion,
BadChannelName, UnknownPlatform, MissingField, BadRollout).

Pure sx, depends only on modules/std.sx; lookups left as linear scans over
List (no HashMap). tests/domain_validate.sx asserts valid App/Release/
Artifact/Channel are accepted and each invalid case is rejected with the
exact expected error tag.

src/domain/audit.sx

@@ -0,0 +1,15 @@
+#import "modules/std.sx";
+
+// An append-only record of a mutation. `actor` is the user or service that
+// performed `action` on the target identified by `target_type` +
+// `target_id`. `metadata` is an opaque string for now (structured JSON
+// arrives with std/json in a later step). `created_at` is unix epoch seconds.
+AuditEvent :: struct {
+    id: string;
+    actor: string;
+    action: string;
+    target_type: string;
+    target_id: string;
+    metadata: string;
+    created_at: s64;
+}