fix(audit): reject malformed rolling artifact tags

Harden phase0 rolling retention timestamp parsing with explicit bounds and UTC round-trip validation; add regression coverage for invalid date/time tags. No architecture/protocol flow changes; diagram files reviewed and no updates were needed.

docs/plans/state.json

@@ -439,6 +439,18 @@
       ],
       "test_status": "pnpm test:run src/audit/phase0BaselineScriptWiring.test.ts + pnpm typecheck passing"
     },
+    "phase0-live-baseline-rolling-tag-validation-hardening": {
+      "status": "completed",
+      "date": "2026-02-27",
+      "updated": "2026-02-27",
+      "summary": "Hardened rolling artifact retention tag parsing to reject impossible timestamp components (month/day/time bounds and invalid calendar dates) so malformed filenames cannot be misclassified through date normalization.",
+      "files_modified": [
+        "src/audit/phase0BaselineArtifactRetention.ts",
+        "src/audit/phase0BaselineArtifactRetention.test.ts",
+        "docs/plans/state.json"
+      ],
+      "test_status": "pnpm test:run src/audit/phase0BaselineArtifactRetention.test.ts + pnpm typecheck passing"
+    },
     "phase0-instrumentation-ticket-checklist": {
       "status": "completed",
       "date": "2026-02-25",