feat(core-api): add verification pipeline with vertex attire adapter

docs/MILESTONES/M4/planning/m4-verification-architecture-contract.md

@@ -1,9 +1,20 @@
 # M4 Verification Architecture Contract (Attire, Government ID, Certification)
 
-Status: Proposed (next implementation slice)  
+Status: Partially implemented in dev (core endpoints + async in-memory processor)  
 Date: 2026-02-24  
 Owner: Technical Lead
 
+## Implementation status today (dev)
+1. Implemented routes:
+- `POST /core/verifications`
+- `GET /core/verifications/{verificationId}`
+- `POST /core/verifications/{verificationId}/review`
+- `POST /core/verifications/{verificationId}/retry`
+2. Current processor is in-memory and non-persistent (for fast frontend integration in dev).
+3. Next hardening step is persistent job storage and worker execution before staging.
+4. Attire uses a live Vertex vision model path with `gemini-2.0-flash-lite-001` by default.
+5. Government ID and certification use third-party adapter contracts (provider URL/token envs) and fall back to `NEEDS_REVIEW` when providers are not configured.
+
 ## 1) Goal
 Define a single backend verification pipeline for:
 1. `attire`
@@ -196,6 +207,19 @@ Rules:
 4. Log request and decision IDs for every transition.
 5. For government ID, keep provider response reference and verification timestamp.
 
+## 11) Provider configuration (environment variables)
+1. Attire model:
+- `VERIFICATION_ATTIRE_PROVIDER=vertex`
+- `VERIFICATION_ATTIRE_MODEL=gemini-2.0-flash-lite-001`
+2. Government ID provider:
+- `VERIFICATION_GOV_ID_PROVIDER_URL`
+- `VERIFICATION_GOV_ID_PROVIDER_TOKEN` (Secret Manager recommended)
+3. Certification provider:
+- `VERIFICATION_CERT_PROVIDER_URL`
+- `VERIFICATION_CERT_PROVIDER_TOKEN` (Secret Manager recommended)
+4. Provider timeout:
+- `VERIFICATION_PROVIDER_TIMEOUT_MS` (default `8000`)
+
 ## 9) Frontend integration pattern
 1. Upload file via existing `POST /core/upload-file`.
 2. Create verification job with returned `fileUri`.