Pic-standard

Added
- **`KeyResolver` protocol** — injectable, sync-only interface for trust key resolution.
`get_key(key_id) -> Optional[bytes]` and `key_status(key_id) -> KeyStatus`.
- **`StaticKeyRingResolver`** — zero-I/O resolver backed by a pre-loaded `TrustedKeyRing`.
- `PipelineOptions.key_resolver` — threads custom resolver through the shared pipeline
into `EvidenceSystem`.
- `KeyResolver` and `StaticKeyRingResolver` exported from `pic_standard` public API.
- `tests/test_key_resolver.py` — 7 tests covering resolver protocol, injection,
lazy default semantics, and pipeline threading.

Changed
- **Evidence hot path fix:** `EvidenceSystem` no longer reloads the keyring per signature
item. Default trust resolution is lazy (loaded on first signature verification only).
- `EvidenceSystem.__init__` accepts optional `key_resolver` parameter. When omitted,
the default resolver is constructed lazily via `TrustedKeyRing.load_default()` on
first use — hash-only evidence never triggers keyring loading.
- Deleted `_load_public_key_from_keyring()` module-level function; replaced by
`EvidenceSystem._resolve_public_key()` instance method using the resolver protocol.

Fixed
- Hash-only evidence verification no longer triggers unnecessary keyring file I/O.

---

Changed
- **Shared verification pipeline**: Extracted duplicated verification logic from
MCP guard, LangGraph, and CLI into a single `pipeline.py` module with
`verify_proposal()` as the one function all consumers delegate to.
- All three consumers (MCP guard, LangGraph ToolNode, CLI) now delegate to
`pipeline.verify_proposal()` instead of reimplementing the verification chain.
- **Error code semantics**: `ActionProposal` instantiation / verifier-rule failures
are now reported as `PIC_VERIFIER_FAILED` (instead of `PIC_POLICY_VIOLATION` in
some MCP paths).
- `pic-cli verify` now uses the shared pipeline (`verify_proposal()`), aligning CLI
behavior with MCP/LangGraph verification flow.
- `_debug_enabled()` moved to `errors.py` (shared location).
- `PICEvaluateLimits` canonical home moved to `pipeline.py`.
- `integrations/__init__.py` exports `PipelineOptions`, `PipelineResult`,
`verify_proposal`, and `guard_mcp_tool_async`.

Fixed
- Catch-all in MCP guard wrappers changed from `POLICY_VIOLATION` to
`INTERNAL_ERROR`.
- Evidence imports narrowed from `except Exception` to `except ImportError`.
- Impact resolution now falls back to `expected_tool` when `tool_name` is None.
- Impact enum values normalized to strings before comparison.

Added
- `pipeline.py` — shared verification pipeline with `PipelineOptions`,
`PipelineResult`, and `verify_proposal()`.
- `tests/test_pipeline.py` — 26 tests covering schema, verifier rules, tool
binding, limits, impact resolution, evidence gating, time budget, and result shape.
- `tests/conftest.py` — `make_proposal()` helper and reusable pytest fixtures.
- `_b64decode()` now supports a `strict` mode (default remains permissive for
backward compatibility; strict mode will be used in future canonicalization
tightening).
- Cross-ref comments on `VERIFIER_FAILED` and `POLICY_VIOLATION` in `errors.py`.

---

Added
- **Cordum integration**: Pack for workflow-level PIC verification gating
- Worker topic: `job.pic-standard.verify`
- Workflow routing: `proceed` / `fail` / `require_approval`
- Fail-closed HTTP bridge client (Go)
- Pack source: `cordum-io/cordum-packs` → `packs/pic-standard/`
- `integrations/cordum/` — README, example policy config
- `docs/cordum-integration.md` — full integration guide with architecture diagram

---

Fixed (OpenClaw Plugin — PR 14704 Review)
- **CRITICAL: pic-init hook API**: Changed from mutating `event.messages.push()` to returning
`{ prependContext: string }` — the correct `before_agent_start` return type
- **CRITICAL: pic-audit event shape**: Fixed to match real `tool_result_persist` event
`{ toolName?, toolCallId?, message, isSynthetic? }` instead of fictional
`{ toolName, params, result, error, durationMs }`
- **CRITICAL: Config loading**: All 3 handlers now receive `pluginConfig` via closure
from `register()` instead of reading `ctx.pluginConfig` (which doesn't exist in
hook contexts). Config was silently falling back to defaults.
- **Type-only imports**: Split `import type` from value imports in `pic-client.ts`
- **Test exclusion**: Added `**/*.test.ts` to tsconfig `exclude` (both repos)
- **package-lock.json**: Removed from OpenClaw repo (pnpm workspace uses pnpm-lock.yaml)

Changed
- All handlers refactored from `export default function handler()` to factory pattern:
`export function createPicXxxHandler(pluginConfig)` returning a closure handler

---

Fixed (OpenClaw Plugin)
- **CRITICAL: Hook registration**: Changed from `api.registerHook()` to `api.on()` to use
OpenClaw's typed hook system. The old method registered to the internal hooks system
which requires a config flag and uses different trigger paths. The `api.on()` method
registers to `typedHooks` which the hook runner actually uses for `before_tool_call`.
- **Type stub**: Added `api.on()` method and `PluginHookName` type union
- **Package name**: Changed from `pic-standard/openclaw-plugin` to `pic-guard`

Changed
- Hook handlers now use typed hook registration instead of internal hook system
- Removed `name` from hook options (not required for `api.on()`)

---

Fixed (OpenClaw Plugin)
- **Docs**: Removed fictional `openclaw plugins configure` command from integration guide
- **Import path**: Changed `openclaw` → `openclaw/plugin-sdk` for correct module resolution
- **Plugin discovery**: Added `openclaw.extensions` field to `package.json` for `openclaw plugins install`
- **HOOK.md frontmatter**: Added required `name` and `description` fields to all three hooks
- `pic-gate`, `pic-init`, `pic-audit` now display properly in OpenClaw UI/CLI

---