Implement declarative plugin behavior context proof (#1068)

[tamirdresher]

Closes #1068
References #1069, #1070, #1071, #1076

Summary

• Adds declarative plugin metadata for repositories, upstream packages, optional MCP integrations, and typed provider contracts.
• Adds runtime plugin context injection so enabled plugins contribute installed static guidance and provider summaries to spawned agent system prompts.
• Adds real external integration samples for Graphify, MemPalace, and Index Server without fake Copilot dependencies or arbitrary execution.
• Documents the three-lane boundary: Squad declarative plugins, Copilot plugin dependencies, and external upstream/MCP/provider metadata.

Behavioral proof

• Disabled plugins do not affect spawned agent context.
• Enabled Graphify, MemPalace, and Index Server plugins inject their installed static guidance under Plugin Context.
• Provider contracts are parsed, validated, persisted in installed plugin state, surfaced by the CLI, and injected into spawned-agent context as declarative metadata.
• Deterministic simulations prove scenario-specific spawned-agent planning deltas:
  • Graphify selects knowledge graph / code relationship analysis and references graphify-out/GRAPH_REPORT.md.
  • MemPalace selects spatial memory concepts: rooms, shelves, trails, and landmarks.
  • Index Server selects a governed instruction / knowledge catalog workflow.
• Tampered plugin state cannot read outside .squad/.
• Squad still does not install upstream packages, run external CLIs, start MCP servers, call provider tools, or query external services in this MVP.

Validation

• npm test -- --run test/plugin-extensibility.test.ts - 16 passed
• Fresh ephemeral CLI lifecycle experiments for Graphify, MemPalace, and Index Server - validate, dry-run, install, enable, switch, list --json provider persistence, verify, uninstall-clean passed
• npm run lint - passed
• npm run build - passed
• npm run lint:docs - passed
• npm run docs:build - passed
• git --no-pager diff --check - passed

Caveat

Full npm test is still not used as the local merge gate here because this worktree has unrelated existing baseline/environment failures outside plugin extensibility. The focused plugin behavior suite, provider-contract simulations, lint, package build, docs lint, and docs build are clean.

[tamirdresher]

Follow-up roadmap filed so #1092 can stay focused as the governed MVP:

• Epic: Epic: Plugin extensibility phase 2 roadmap after governed MVP #1102
• Phase 1 marketplace distribution: Phase 1: Remote plugin marketplace distribution for declarative plugins #1103
• Phase 2 governed provider expansion: Phase 2: Expand governed built-in runtime providers #1104
• Phase 3 trusted executable provider RFC/runtime: Phase 3 RFC: Trusted executable provider runtime and sandbox #1105

Recommendation: merge #1092 as the safe foundation, then handle executable/tool/provider power through these gated follow-ups with explicit security review.