AFI parity: close all 35 gaps — every adapter wires every AFI-common capability

The conformance board (tests/afi/test_capability_parity.py) is now fully green:
90 capability cells + 4 meta-locks + 3 codegen byte-parity = 97 passed. The
gaps the prose table used to launder as "Django-only" / "out of scope" are
wired, against the pinned-spec model (single-authored spec, byte-identical
conformance across languages) — never per-language reimplementation.

FastAPI — edge_manifest + PSR (logic single-sourced in mizan_core.manifest),
WebSocket RPC (/ws/ through the shared dispatch), SSR (the framework-agnostic
SSRBridge relocated to mizan_core.ssr; Django rides it from there), Shapes
(SQLAlchemy projection, same declaration surface as django-readers), Forms
(Pydantic schema/validate/submit).

Rust (Axum + Tauri + cores/mizan-rust) — X-Mizan-Invalidate header, auth=
enforcement, origin HMAC cache, edge manifest + PSR, WebSocket handler / IPC
subscription channel, multipart upload, SSR bridge, Shapes, Forms; JWT/MWT
mint+verify and cache-key derivation byte-pinned to the Python reference
(cache_keys_pin, token_pin, invalidate_header_pin).

TypeScript — a KDL IR emitter byte-identical to the Python build_ir (so a TS
backend can feed the codegen — the largest gap), multipart upload, session-init,
WebSocket transport, SSR bridge, JWT/MWT mint (pinned to Python), Shapes, Forms.

Verified in the merged tree: core 25, fastapi 74, django 353/21-skip,
mizan-rust (incl. cross-language pins) green, axum 10, tauri 8, mizan-ts 103/2-skip.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

README.md

@@ -60,32 +60,32 @@ Every capability below is **AFI-common**: each adapter owes a binding, and a ❌
 | RPC call dispatch (`{result, invalidate}`) | ✅ | ✅ | ✅ | ✅ | ✅ |
 | Named-context bundle fetch | ✅ | ✅ | ✅ | ✅ | ✅ |
 | Invalidation — JSON body | ✅ | ✅ | ✅ | ✅ | ✅ |
-| Invalidation — `X-Mizan-Invalidate` header | ✅ | ✅ | ❌ | — | ✅ |
+| Invalidation — `X-Mizan-Invalidate` header | ✅ | ✅ | ✅ | — | ✅ |
 | Invalidation auto-scoping (three-tier) | ✅ | ✅ | ✅ | ✅ | ✅ |
 | Function discovery / registration | ✅ | ✅ | ✅ | ✅ | ✅ |
-| Codegen IR export (KDL) | ✅ | ✅ | ✅ | ✅ | ❌ |
-| File uploads (`Upload` type) | ✅ | ✅ | ❌ | ❌ | ❌ |
+| Codegen IR export (KDL) | ✅ | ✅ | ✅ | ✅ | ✅ |
+| File uploads (`Upload` type) | ✅ | ✅ | ✅ | ✅ | ✅ |
 
 ### Edge, cache & enforcement
 
 | Capability | Django | FastAPI | Rust / Axum | Tauri | TypeScript |
 |---|:---:|:---:|:---:|:---:|:---:|
-| Auth-guard enforcement (`auth=…` rejects) | ✅ | ✅ | ◑ | ◑ | ✅ |
-| Origin-side HMAC cache | ✅ | ✅ | ❌ | ❌ | ✅ |
-| Edge manifest export | ✅ | ❌ | ❌ | — | ✅ |
-| PSR (`render_strategy` in manifest) | ✅ | ❌ | ❌ | — | ✅ |
-| Session / CSRF init endpoint | ✅ | ✅ | ✅ | — | ❌ |
+| Auth-guard enforcement (`auth=…` rejects) | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Origin-side HMAC cache | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Edge manifest export | ✅ | ✅ | ✅ | — | ✅ |
+| PSR (`render_strategy` in manifest) | ✅ | ✅ | ✅ | — | ✅ |
+| Session / CSRF init endpoint | ✅ | ✅ | ✅ | — | ✅ |
 
 ### Extension points
 
 | Capability | Django | FastAPI | Rust / Axum | Tauri | TypeScript |
 |---|:---:|:---:|:---:|:---:|:---:|
-| WebSocket transport (`websocket=` declared) | ✅ | ❌ | ◑ | ❌ | ❌ |
-| SSR bridge (subprocess renderer) | ✅ | ❌ | ❌ | ❌ | ❌ |
-| JWT auth (access / refresh) | ✅ | ✅ | ❌ | ❌ | ◑ |
-| MWT (edge identity token) | ✅ | ✅ | ❌ | — | ◑ |
-| Typed query projection (Shapes) | ✅ | ❌ | ❌ | ❌ | ❌ |
-| Forms (schema / validate / submit) | ✅ | ❌ | ◑ | ◑ | ❌ |
+| WebSocket transport (`websocket=` declared) | ✅ | ✅ | ✅ | ✅ | ✅ |
+| SSR bridge (subprocess renderer) | ✅ | ✅ | ✅ | ✅ | ✅ |
+| JWT auth (access / refresh) | ✅ | ✅ | ✅ | ✅ | ✅ |
+| MWT (edge identity token) | ✅ | ✅ | ✅ | — | ✅ |
+| Typed query projection (Shapes) | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Forms (schema / validate / submit) | ✅ | ✅ | ✅ | ✅ | ✅ |
 
 **Notes**