feat(grounding-wrapper): validate keyword input on initSession

[LanNguyenSi]

Summary

initSession silently emitted degenerate ids and resolved_scopes for edge-case keywords:

Input	id	resolved_scope
""	gs--<ts>	""
1000-char string	slug truncated to 16, ts	full 1000-char scope
"クラウド"	gs---<ts>	"" (Unicode stripped, nothing left)
"クラウド-monitor"	gs---monitor-<ts>	"--monitor" (leading double-dash)

Reviewer of PR #91 (task 839b51f9) called out that the README's "Public API for enforcement" section claims initSession is deterministic in keyword+problem, which is technically true (same input → same degenerate output) but the input domain wasn't pinned anywhere.

Fix

• New exported helper validateKeyword(keyword: unknown): void that throws a typed Error when the keyword is:
  • non-string,
  • empty,
  • longer than KEYWORD_MAX_LENGTH (64) chars, or
  • slug-normalised to an empty string (toLowerCase → [^a-z0-9]+ collapse → trim leading/trailing -).
• initSession calls validateKeyword(input.keyword) as its first statement.
• README "Public API for enforcement" gains an "Input invariants" bullet naming the rules + the exported helper.
• 13 new tests (29 → 42 passing): both validateKeyword directly and initSession covered.

The rule preserves friendly mixed-Unicode keywords: "クラウド-monitor" normalises to "monitor" and is still accepted. Only pure-Unicode / pure-symbol / pure-whitespace / oversize / empty inputs are rejected.

Backward compatibility

Grep confirmed every existing initSession( caller in the monorepo uses a valid ASCII slug (clawd-monitor, github-api, agent-tasks, etc.). handleScopeChange has no production caller outside lib.ts, so the new throw is contained.

Test plan

• npm test in grounding-wrapper: 42/42 pass.
• Review subagent: APPROVE, including live verification of the slug-regex boundary cases.
• Ledger fact logged for the CI merge-approval gate.
• CI green.