chore: add SEP-2640 requirement-traceability YAML (Skills Extension)

[panyam]

Adds src/seps/sep-2640.yaml, the requirement-traceability file for the Skills Extension
SEP. Floats the requirement model out for Skills Over MCP Working Group review ahead of
scenario implementation. No scenarios in this PR.

Motivation and Context

SEP-2640 introduces a skill:// resource convention for serving Agent Skills over MCP. As
an Extensions Track SEP, it needs conformance coverage before review under SEP-2133. Landing
the requirement extraction first lets the Skills Over MCP Working Group sanity-check which
normative obligations the harness will assert versus which are excluded as host-internal
policy or UI affordances, before any scenario design starts.

The yaml also carries a leading provenance comment (spec_source commit ref +
extracted_at date) so future SEP drift is detectable from the file alone, without
rebuilding the extraction.

How Has This Been Tested?

No runtime behavior in this change. Validation performed:

• YAML parses cleanly. 25 check: rows + 8 excluded: rows (33 total).
• Lefthook pre-push (Test, Code Formatting) passes on each commit.
• All RFC 2119 sentences from the SEP's normative sections (Specification + Security
  Implications) are accounted for. MAY / OPTIONAL sentences are intentionally dropped per
  the conformance-repo convention.

End-to-end conformance against the reference SDK will follow in a later PR once scenarios
exist.

Breaking Changes

None. The file is additive metadata. Existing SEP yamls, scenarios, and the traceability
manifest are untouched. traceability.json will pick up the new check IDs the next time it
is regenerated against a suite run.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Two requirement merges to flag for reviewers:

• host-no-unverified-content (MUST NOT) is folded into host-verify-digest. They state
  the same obligation as positive and negative; one row keeps both halves linked.
• host-archive-safety collapses the Discovery-section and Security-Implications
  restatements of the archive-safety rule into a single row.

Excluded categories and reasoning:

• Host-internal policy (untrusted-input handling, no implicit execution, context-authority
  ordering).
• UI affordances (origin indicator, inspect-before-load, template discovery).
• Sub-MCP behavior (DNS resolution of the URI authority component, archive-format detection
  logic between mimeType and URL suffix).

Planned followups (separate PRs):

• Scenarios under src/scenarios/{server,client}/skills.ts, registered in
  src/scenarios/index.ts.
• Reference implementation in at least one SDK, exercising those scenarios end-to-end
  against the everything-server / everything-client.
• Passing and negative cases added to the everything-server per AGENTS.md.