feat(sec-core): update skill ledger security interactions

[1570005763]

Description

Update skill-ledger interactions so non-pass hook states use the new confirmation policy and skill-ledger guidance presents a clearer quick-scan / deep-scan workflow. Cosh and OpenClaw now require confirmation for unscanned, drifted, denied, and tampered skills while keeping warn/error/unknown states fail-open with warnings.

The skill-ledger Skill instructions now define a single report format shared by status checks, quick scans, deep scans, and post-install certification. Agent-assisted skill installs automatically run quick certification after a successful install, while explicit deep-scan requests go directly through the deep scan path after environment checks.

Related Issue

no-issue: user-requested skill ledger interaction update

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional change)
• Performance improvement
• CI/CD or build changes

Scope

• cosh (copilot-shell)
• sec-core (agent-sec-core)
• skill (os-skills)
• sight (agentsight)
• tokenless (tokenless)
• Multiple / Project-wide

Checklist

• I have read the Contributing Guide
• My code follows the project's code style
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly
• For cosh: Lint passes, type check passes, and tests pass
• For sec-core (Rust): cargo clippy -- -D warnings and cargo fmt --check pass
• For sec-core (Python): Ruff format and pytest pass
• For skill: Skill directory structure is valid and shell scripts pass syntax check
• For sight: cargo clippy -- -D warnings and cargo fmt --check pass
• For tokenless: cargo clippy -- -D warnings and cargo fmt --check pass
• Lock files are up to date (package-lock.json / Cargo.lock)

Testing

cd src/agent-sec-core && make python-code-pretty
cd src/agent-sec-core && uv run --project agent-sec-cli ruff check --config agent-sec-cli/pyproject.toml cosh-extension/hooks/skill_ledger_hook.py tests/unit-test/cosh_hooks/test_skill_ledger_hook.py
cd src/agent-sec-core/agent-sec-cli && uv run pytest ../tests/unit-test/cosh_hooks/test_skill_ledger_hook.py
cd src/agent-sec-core/agent-sec-cli && .venv/bin/python -m pytest ../tests/integration-test/skill-ledger/test_skill_ledger_integration.py -k "list_scanners or certify_no_findings_auto_invoke or certify_static_scanner_detects_dangerous_script or certify_auto_invoke_skill_code_scanner_warn or certify_merges_skill_vetter_and_skill_code_scanner"
cd src/agent-sec-core && PATH="$(pwd)/agent-sec-cli/.venv/bin:$PATH" python3 tests/e2e/skill-ledger/e2e_test.py
cd src/agent-sec-core/openclaw-plugin && npm run build
cd src/agent-sec-core/openclaw-plugin && npm test -- --test-reporter=spec
git diff --check

Additional Notes

Rust checks were not run because this change does not touch Rust code.

[edonyzpc]

LGTM