proposal: modular content filter (replication first)

[vtmocanu]

What

Adds proposals/new/modular_content_filter.md proposing a small content-filter package consumed by Harbor replication today, with hooks to adopt it from proxy cache and other consumers later. First concrete user is per-platform selective replication (the long-standing request in goharbor/harbor#19864).

Key design points:

• Don't-rewrite: filtering a multi-arch artifact preserves the original manifest-list / OCI image-index digest. Cosign signatures and accessory linkages survive; trade-off is that the destination index references children that may not be present (informative manifest unknown on pull, accepted per the user's explicit selection).
• Narrow v1 surface: five predicates (ByName, ByTag, ByLabel, ByType, ByPlatform), no composition (All/Any/Not), no speculative dimensions. Future predicates land additively when concrete consumers need them.
• Aligned with Add proxy cache filter proposal #280: stonezdj's repository-name filter for proxy cache fits naturally as a future consumer of the same module; co-design with Add proxy cache filter proposal #280's author is required before any overlap.

Validation

No code in this PR; it's a proposal MD only. The proposal includes a Phase 1 verification checklist covering per-arch Cosign signature replication, GC and quota behaviour with dangling references at the destination, and idempotency, all to be exercised when the implementation lands.

Full disclosure

I don't have programming skills at the depth of a Harbor maintainer; I asked Claude Code to assist with researching the existing Harbor code and drafting this proposal.