Add security scan receipt metadata

[HarperZ9]

Refs #1273.

Summary

• Adds optional _meta[io.modelcontextprotocol.registry/security-scan] receipt metadata to ServerDetail.
• Regenerates the draft server.schema.json from the OpenAPI source.
• Documents scanner-neutral, artifact-bound semantics: clean is scoped to the artifact, scanner, rule set, policy profile, and scanScope; it is not a global server-safety claim.
• Adds a draft changelog entry.

I used camelCase for receipt fields to match the existing server.json schema conventions. The inconclusive reason values remain machine-readable enum strings.

Verification

• openapi.yaml parses with PyYAML.
• Draft server.schema.json passes Draft 7 schema validation with Python jsonschema.
• A minimal security-scan receipt example validates against the draft schema.
• A Python reimplementation of tools/extract-server-schema produced a byte-identical server.schema.json after Go-style JSON escaping.
• git diff --check passed.

Local note: this Windows shell does not have make or go, so I could not run make generate-schema or make check-schema directly. The generated schema parity check above follows the repository extraction logic and verifies the checked-in draft schema is synchronized with openapi.yaml.

[HarperZ9]

Closing this as a duplicate of #1404.

I opened this after working from #1273, but #1404 was already open and is the stronger consolidation point: it adds the componentized receipt schema, official-registry behavior notes, generated schema output, and full local validation from the repo toolchain. Keeping both open would split maintainer review for the same v1 shape.

I'll route any further review comments to #1404.