Release v0.3.0: Rebrand to FieldWitness + C2PA bridge + GPL-3.0

Major release marking the transition from SooSeF to FieldWitness.

Highlights:
- Full rebrand: soosef → fieldwitness, stegasoo → stego, verisoo → attest
- Data directory: ~/.soosef/ → ~/.fwmetadata/ (innocuous name for field safety)
- License: MIT → GPL-3.0
- C2PA bridge module (Phase 0-2): X.509 cert management, export path with
  vendor assertions (org.fieldwitness.perceptual-hashes, chain-record,
  attestation-id), GPS downsampling for privacy
- README repositioned: provenance/federation first, steganography backgrounded
- Threat model skeleton (docs/security/threat-model.md)
- Planning docs: C2PA integration, GTM feasibility, packaging strategy,
  "Why FieldWitness Exists" narrative for non-technical audiences

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/security/threat-model.md

@@ -4,7 +4,7 @@
 identifies gaps. Version numbers track significant revisions.
 
 **Document version:** 0.1 (2026-04-01)
-**Corresponds to:** FieldWitness v0.2.0
+**Corresponds to:** FieldWitness v0.3.0
 
 This document follows the style of the Signal Protocol specification and the Tor design
 document: it makes precise claims, distinguishes what is guaranteed from what is not, and
@@ -90,7 +90,7 @@ cannot forge a valid signature without the private key. The append-only hash cha
 retroactive injection detectable: inserting a record at position N requires recomputing all
 subsequent hashes. Consistency proofs during gossip sync detect log divergence.
 
-**Gap:** Certificate pinning for federation peers is not implemented as of v0.2.0. The
+**Gap:** Certificate pinning for federation peers is not implemented as of v0.3.0. The
 Tier 3 relay uses a self-signed certificate; operators should verify its fingerprint
 out-of-band. Gossip peers authenticate by Ed25519 fingerprint, not certificate, which
 provides a secondary check.