fix(audit): validate phase0 artifact tag inputs

Add shared artifact-tag normalization/validation and apply it to capture, drift, and prune scripts for --tag/--report-tag/--baseline-tag paths. Architecture diagrams reviewed; no flow changes required.

scripts/capture-phase0-live-baseline.ts

@@ -4,6 +4,7 @@ import { mkdir, writeFile } from 'node:fs/promises';
 import { dirname, resolve } from 'node:path';
 import { parseArgs } from 'node:util';
 import { queryAuditLogs } from '../src/audit/export.js';
+import { normalizeArtifactTag } from '../src/audit/artifactTag.js';
 import {
   capturePhase0LiveBaselineEvents,
   type Phase0BackendTarget,
@@ -196,7 +197,7 @@ async function main(): Promise<void> {
   }
 
   const auditPath = expandHomePath(values.audit ?? '~/.local/share/flynn/audit.log');
-  const tag = values.tag ?? isoDateTagNow();
+  const tag = normalizeArtifactTag(values.tag ?? isoDateTagNow(), '--tag');
   const channels = parseCsv(values.channel);
   let sources = parseSources(values.source);
   const backendTargets = parseBackendTargets(values.backend);