TT1: Security/capabilities for fork/rewind/merge in multiplayer #246
Description
From docs/spec-time-streams-and-wormholes.md: define capability/security model for time travel operations in multiplayer (fork/rewind/merge/resync) and how provenance sovereignty constrains tooling.
Scope:
- Define who can perform fork/rewind/merge actions; how those actions are authenticated/authorized.
- Define what tooling can observe/control during pause/rewind (and how it is recorded).
- Define the fail-closed behavior when capabilities are missing.
Acceptance:
- Spec defines the minimal capability matrix and how decisions are recorded into HistoryTime.