docs(v1.1): complete research phase — stack, features, architecture, pitfalls, summary

Four parallel research tracks + synthesis, all focused on v1.1 Foundations
(Organizations + Passkeys):

- STACK: add {:wax_, "~> 0.7"} only; SimpleWebAuthn 13 in generator JS;
  reuse cloak_ecto vault; no MT library; no Igniter
- FEATURES: table stakes from Clerk/Auth0/WorkOS/GitHub/Jetstream/FIDO;
  anti-features list (no auto personal org, no PG schema-per-tenant)
- ARCHITECTURE: 13 phases, two parallelizable tracks; 12 v1.2 forward-compat
  load-bearing decisions identified (reserved impersonating_from scope field,
  audit_events real org_id + effective_user_id columns, subdir feature
  manifest pattern, etc.)
- PITFALLS: 26 pitfalls with CVE/post-mortem citations; top 5 criticals are
  cross-tenant leak, invite hijack, last-owner lockout, WebAuthn challenge
  replay, stolen-session passkey enrollment
- SUMMARY: single coherent view with top 10 prioritized pitfalls, phase
  ordering with pitfall mitigations as phase requirements, and 12 open
  questions for discuss-phase

No cross-researcher contradictions except backfill default (flagged in
open questions #1).

Author: szTheory