Add architecture review findings and address documentation issues

Review of all ADR documents (001-007) and peripheral architecture docs
identified 3 critical, 10 warning, and 7 suggestion issues.

Addressed in this commit:
- W-1: Add draft qualifier to ADR-002 reference to incremental exploration
- W-2: Add Alternatives Considered section to ADR-001
- W-3: Add Document Lifecycle section to README.md (draft/stable/deprecated)
- W-4: Clarify includeCompleted semantics (only 'completed' status triggers exclusion)
- W-5: Document file I/O runtime constraints in frontmatter.md
- W-6: Add ADR reference to architecture.md redirect
- W-7: Verify CVE-2025-64718 (confirmed real, improved description)
- W-9: Convert workspace-absolute paths to relative/monorepo references
- S-7: Add future ADR-008 note to incremental-update-exploration.md

Critical issues (C-1, C-2, C-3) and remaining warnings (W-8, W-10, S-4, S-5)
were addressed by a parallel agent in a prior commit.

All 16 review tasks created and resolved.

tasks/architecture/w-7-cve-number-verify.md

@@ -0,0 +1,21 @@
+---
+id: architecture/w-7-cve-number-verify
+name: Verify js-yaml CVE number in frontmatter.md
+status: completed
+depends_on: []
+created: 2026-04-26T09:10:57.556575363Z
+modified: 2026-04-26T09:10:57.556575883Z
+scope: narrow
+risk: medium
+---
+
+# Description
+
+**Review ref**: W-7 (Warning)
+**Files affected**: `docs/architecture/frontmatter.md`
+
+The frontmatter doc references "CVE-2025-64718" for js-yaml prototype pollution. This CVE number appears incorrect — the sequence number is unusually high and no matching CVE was found. An incorrect CVE undermines the supply-chain security argument.
+
+Verify the actual CVE number for js-yaml prototype pollution vulnerability. If the number can't be confirmed, replace with "referenced in npm audit database" or link to the npm advisory directly.
+
+**Source**: `/docs/reviews/architecture-review-2026-04-26.md` W-7