fix(registry): P0 follow-ups — type reclassification guard, docs IA, source trust clarity

[bokelley]

Refs #3538

Ships the P0-ready subset from issue #3538 (registry follow-ups from #3495). Migrations 454+455 already landed the member_profiles backfill; this PR addresses the remaining P0 items that were code + docs, not data.

What ships

1. Crawler type reclassification guard (server/src/crawler.ts:580)
Old guard: !knownTypes.has(agent.url) && inferredType !== 'unknown' — skipped agents that already had any non-unknown type, even a wrong one (the root cause of Bidcliq/Swivel staying as buying).
New guard: inferredType !== 'unknown' && inferredType !== knownTypes.get(agent.url) — updates the stored type whenever the new inferred type is non-unknown and differs from what's stored. Refuses to downgrade to unknown. Prevents recurrence without needing another one-shot migration.

2. OpenAPI tag rename: "Lookups & Authorization" → "Authorization Lookups"
Changed across 4 source files: registry-api.ts (8 tags + 2 comments), static/openapi/registry.yaml (8 tags + tag definition), scripts/generate-openapi.ts (map key), docs/registry/index.mdx (CardGroup card + section heading + anchor href). Fixes the lookups-%26-authorization URL slug that was unshareable and unsearchable in Mintlify. Versioned snapshots under dist/ are frozen historical artifacts and were intentionally not updated.

3. OpenAPI description annotations on source, member, discovered_from fields (server/src/schemas/registry.ts)
Trust-level semantics added: source explains registered vs discovered; member clarifies it's present only for registered agents; discovered_from clarifies it's present only for discovered agents. Annotations placed on the .optional() wrapper — consistent with how source is annotated and correct for zod-to-openapi.

4. Auth-aware note on /api/registry/operator OpenAPI description
Documents the three-tier visibility already implemented in the runtime handler: anonymous → public only; API-access token → adds members_only; profile owner → adds private. Zero runtime change.

5. docs/registry/index.mdx — missing operator/publisher rows + subsection
Added /api/registry/operator and /api/registry/publisher to the Authorization Lookups overview table (they were documented in sub-pages but absent from the overview). Added a short subsection explaining when to call each and the operator endpoint's auth-aware behavior.

6. New docs/registry/registering-an-agent.mdx
Two-path registration table (member direct vs discovered via adagents.json), JSON examples showing source field differences, what AgenticAdvertising.org membership unlocks, path for non-member agents. Problem 5 Option B (community_agents / self_attested) flagged for human product decision.

What's deferred (stays open on #3538)

• P0.1 member_profiles backfill — migration 455 already handles this. The remaining gap (agents never crawled) closes on next write via the prevention layer in fix(registry): server-side agent-type resolution at registration #3498.
• P1: ?source= query param + UI segmentation — author's P1 phasing; additive but requires more UI work.
• P1: Re-probe loop for type: 'unknown' agents — needs group by discovery_error data investigation before building retry logic; also needs last_probe_attempt_at schema change.
• P2: Endpoint split — breaking change, needs RFC + deprecation period.
• Problem 5 Option B — product decision on trust tier model for self-attested agents, flagged for human review.
• buying enum question — explicitly out of scope per issue author.

Non-breaking justification

All six changes are non-breaking: the crawler guard is a server-internal logic fix with no wire format change; the tag rename affects only the generated docs slug (not any wire field); the schema annotations add optional OpenAPI metadata to existing fields; the operator description change adds documentation to an existing endpoint; the docs changes are additive.

Pre-PR review

Blocker found and fixed: Both reviewers independently flagged that registering-an-agent.mdx incorrectly claimed source appears on the /api/registry/operator response — OperatorAgentSchema has no source field. Fixed in commit 31ece72: sentence now reads "The source field is returned on every agent in GET /api/registry/agents."

• code-reviewer: approved after fix — crawler guard logic correct; tag rename complete; .openapi() placement on optional wrapper is correct for zod-to-openapi. Nit: link text in index.mdx:167 could be reworded for readability.
• ad-tech-protocol-expert: approved after fix — all changes non-breaking per spec; OperatorAgentSchema confirmed to have no source field; discovered agents are returned unconditionally by /api/registry/agents (no visibility gate), consistent with "public only" trust-level claim in the new docs page.

Triage-managed PR. This bot does not currently iterate on
review comments or PR conversation threads (only on the source
issue). To unblock:

• Push fixup commits directly: gh pr checkout <num> →
  fix → push.
• Or re-trigger: comment /triage execute on the source
  issue.

See #3121
for context.

Session: https://claude.ai/code/session_01LpZQ7dcUTFgreLrUkKsLht