Add Browser Collector Enrollment Primitive

A trusted owner agent (Daisy/Simon-style) can already initiate a local-collector connection through POST /v1/owner/connections/intents, but a browser-bound connector such as a second Amazon account returns unsupported. The reason is honest: the reference has no enrollment primitive that lets a local collector drive a real browser session and ingest through the device-exporter path. The enroll route hardcodes sourcekind: "localdevice" and does no binding-aware validation, so there is no way to record that a collected binding is browser-collected rather than filesystem-read.

PDPP collects personal data from several topologies. Two matter here:

Device-exporter enrollment SHALL derive the enrolled binding's source kind from the connector manifest runtimerequirements.bindings rather than recording a fixed source kind. A filesystem binding SHALL enroll as localdevice. A browser binding (with no filesystem binding) SHALL enroll as browser_collector. A connector whose manifest declares neither binding, or for which no manifest is registered, SHALL be rejected with a typed error; enrollment SHALL NOT default to a source kind.

The reference connector-instance source binding SHALL support browsercollector as a source kind distinct from localdevice. A browsercollector binding SHALL identify a connector instance collected by a local collector that drives a browser session for a browser-bound connector. A localdevice binding SHALL continue to identify a filesystem-read local collection. This source kind is the connector-instance source-binding axis only; it is not the spine event source kind, and it is not promoted into PDPP Core protocol vocabulary.