#9896: feat: runtime trust enforcement v1 (keyring + revocations)

### Summary Adds runtime trust enforcement for tool calls via AgentShield: - Revocation checks (publisher + artifacts) using verified revocation lists - Publisher keyring verification for signed envelopes - Operator-facing block reasons + hints for trust root / revocations paths - Feature-gated with safe defaults (strict checks off unless enabled) ### Update (fix for Greptile finding) Greptile noted `enforceTrust()` was invoked without trust inputs. This PR now **plumbs trust context into the middleware**: - `resolveAgentShieldTrustContext()` probes `agentDir` for trust card files (several common filenames/paths) - Parses **signed envelopes** `{ payload, signature, public_key }` and unsigned payloads - Extracts/forwards: `publisherId`, `signedObject`, `trustCardId`, `contentSha256` (and related fields) into `TrustCheckInput` - Env fallbacks: `AGENTSHIELD_PUBLISHER_ID`, `AGENTSHIELD_TRUSTCARD_PATH` Result: `REQUIRE_NOT_REVOKED=1` / `REQUIRE_KEYRING=1` can now actually **block** tool calls as intended. ### How to test (targeted) pnpm vitest run src/agents/pi-tools.agentshield-trust.test.ts pnpm vitest run src/infra/agentshield-trust-enforcement.test.ts ### Notes for maintainers Checks are green. If GitHub Actions are gated, please click **Approve and run**.