Implement phase 3 platform wedge

[pengfei-threemoonslab]

Summary

• promote the local registry into a platform ledger with v0.3 rows, hash chaining, verification, summaries, and governance filters
• extend attestations, host-grant inventory, org evidence bundles, and policy-pack projection into versioned public artifacts
• add org bundle/policy-pack CLI surfaces, host audit --out, GitHub Action artifact outputs, contract/.well-known updates, docs, schemas, examples, and tests

Verification

• python -m ruff check src scripts tests
• python -m pytest -q
• AGENTS_SHIPGATE_AGENT_MODE=1 PYTHONPATH=src python -m agents_shipgate check --agent codex --workspace . --format codex-boundary-json -> decision=allow, completion_allowed=true
• AGENTS_SHIPGATE_AGENT_MODE=1 PYTHONPATH=src python -m agents_shipgate verify --workspace . --config shipgate.yaml --ci-mode advisory --format json -> exit 0, merge_verdict=human_review_required, decision=review_required

Shipgate note

The verifier requires human review because this PR intentionally changes protected trust-root and agent-instruction surfaces. I did not suppress or weaken the gate; the PR is draft for that review.

[pengfei-threemoonslab]

Addressed in follow-up commit d1137b9.

What changed:

• Moved the org/fleet governance commands out of the stable command table into a preview/provisional section in STABILITY.md, so the platform wedge remains discoverable without locking the flags as stable commitments before design-partner consumption.
• Fixed registry summary.policy_pack_unverified_count by carrying policy-pack sha256_status through verify-run and attestation as a normalized status field, with regression coverage.
• Made registry row_id hashing use the RegistryRowV1 model projection, removed the dead _coerce_row branch, and clarified ingest idempotency as exact attestation bytes.
• Made org bundle preview rows use raw attestation-file SHA when an attestation file exists, matching registry ingest; added v0.3 attestation compatibility in org bundle.
• Tightened HostGrantsDriftV1 to extra="forbid".
• Marked the PR draft to match the Shipgate human-review requirement and the PR body note.

Verification:

• python -m ruff check src scripts tests
• python -m pytest -q
• python scripts/generate_schemas.py --check
• AGENTS_SHIPGATE_AGENT_MODE=1 PYTHONPATH=src python -m agents_shipgate check --agent codex --workspace . --format codex-boundary-json -> decision=allow
• AGENTS_SHIPGATE_AGENT_MODE=1 PYTHONPATH=src python -m agents_shipgate verify --workspace . --config shipgate.yaml --ci-mode advisory --format json -> exit 0, merge_verdict=human_review_required, decision=review_required as expected for protected trust-root / agent-instruction changes.