doc/plans: Update OCI sealing spec (kernel sigs, flattened layers)

The biggest goal here is support for Linux kernel-native fsverity
signatures to be attached to layers, which enables integration with
IPE.

Add support for a fully separate OCI "composefs signature" artifact
which can be attached to an image.

Drop the -impl.md doc...it's not useful to try to write this
stuff in markdown. The spec has some implementation considerations,
but it's easier to look at implementation side from a code draft.

Add standardized-erofs-meta.md as a placeholder document outlining the
goal of standardizing composefs EROFS serialization across implementations
(canonical model: tar -> dumpfile -> EROFS).

Assisted-by: OpenCode (Claude Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters