spec: add §3.3.1 verification guidance for external execution evidence (#34)

[imran-siddique]

Summary

Adds §3.3.1 — External execution evidence (optional) — under §3.3, the verification section.

This is the spec-side counterpart to agentrust-io/cmcp#301, which added the external_execution_evidence receipt field to cMCP audit entries and implemented signature verification in cmcp-verify. TRACE needed matching guidance so the spec and the reference implementation stay aligned.

Key rules defined:

• When a verifier holds the named issuer's public key: verify the JCS-canonical receipt signature, assert linked_call_id == call_id, fail closed on any mismatch
• When the issuer key is not configured: receipt is unverified, not invalid; gateway-produced evidence is unaffected; verifier SHOULD surface external_evidence_unverified rather than silently ignoring
• Trust boundary explicit: TRACE binds the receipt; it does not certify physical actions, actuation outcomes, or functional-safety compliance

No schema changes — the receipt lives in the cMCP audit chain (committed by the Trust Record's tool_transcript.hash), not in the TRACE Trust Record itself.

Test plan

• Read through §3.3 end-to-end to confirm new subsection flows naturally after steps 1–7
• Confirm cmcp-verify behavior matches the three rules (configured key → verify + reject on fail; unconfigured key → unverified-not-invalid)
• Reference: feat: add Nobulex — Ed25519 action receipts as external execution evidence integrations#6 (Nobulex receipt) and @vaaraio's SPEC.md as external producer implementations consistent with this guidance

Closes #34