feat(graph): planner_critique_node wired + critique_verdict ledger event [W2.D.2]

[TimothyVang]

Summary

• Adds PlannerCritiqueVerdict schema invariant: route="planner" + failed_questions=[] raises ValidationError (loopback with no reason = infinite loop, W2.D.2 load-bearing).
• Adds LedgerEntry schema (verdict/schemas/ledger.py) with all 13 event types including "critique_verdict", three-tier ID hierarchy, NIST SP 800-86 exam-env metadata.
• Adds InMemoryLedger (verdict/ledger/memory.py) — real Ledger Protocol implementation (not a mock, §3.10 compliant) backed by a list with blake3 derive_key HMAC chain.
• Adds planner_critique_node(plan, ledger) (verdict/graph/nodes.py) — writes critique_verdict LedgerEntry with route + all_questions + failed_questions + hint in payload.

Test plan

• pytest tests/planning/test_planner_critique_verdict.py — 8 tests GREEN
• All 17 planning tests GREEN (W2.D.1 + W2.D.2)
• ruff check verdict/ tests/planning/ — clean
• RED commit precedes GREEN commit

[TimothyVang]

W2.D.2 — PlannerCritiqueVerdict schema + critique_verdict ledger event

CI gate: 17/17 GREEN (9 from W2.D.1 + 8 new). Ruff: clean.

PASS — hard rules

Check	Status
PlannerCritiqueVerdict(route="planner", failed_questions=[]) raises ValidationError	PASS
PlannerCritiqueVerdict(route="comprehension_gate", failed_questions=[]) valid	PASS
Unknown route value raises ValidationError	PASS
LedgerEntry schema with all 13 EventType values	PASS
13 event types confirmed: case_init, tool_call, finding, approval, rejection, mode_lock, comprehension_check, critique_verdict, pivot, exhausted_replan, evidence_hash_recheck, sandbox_failure, planner_cot	PASS
planner_critique_node writes critique_verdict LedgerEntry with route, all_questions, failed_questions, hint in payload	PASS
LedgerEntry.case_id matches plan.case_id	PASS
InMemoryLedger uses blake3 derive_key_context for HMAC chain, not unittest.mock	PASS
§3.7 RED 0428f0b precedes GREEN 71519dc, both carry [W2.D.2]	PASS
§3.10 InMemoryLedger is a real Ledger Protocol implementation, not a mock	PASS

ISSUE — planner_critique_node hardcodes mode="cloud" in ledger write

verdict/graph/nodes.py line:

active_ledger.write(
    ...
    mode="cloud",  # mode is locked at case_init; W3 wires the real mode
)

The comment acknowledges this is deferred. However, a ledger entry written with the wrong mode violates §3.4 mode lock: LedgerEntry.mode_at_case_init is supposed to be the mode from case_init, not hardcoded. When the W3 wiring lands, this will silently corrupt air-gap and dual ledger chains if the fixup isn't tracked. The planner_critique_node signature should accept a mode: Mode parameter now and propagate it, even if the caller passes the same hardcoded default:

def planner_critique_node(
    plan: InvestigationPlan,
    *,
    ledger: Ledger | None = None,
    config: CritiqueConfig | None = None,
    mode: Mode = "cloud",   # injected by graph state at case_init
) -> PlannerCritiqueVerdict:

This is non-blocking for W2.D.2 merge if a follow-up task is logged, but the signature change has zero risk and should be done now.

MINOR — _make_entry_id uses SHA-256 prefix (16 hex chars = 8 bytes) vs ULID

The docstring correctly notes "Production ledger uses ULID." The 16-hex-char SHA-256 prefix is collision-safe for test volumes but the comment should say "tests only; production uses ULID from python-ulid or ulid2" so no future contributor copies it into JournalLedger.

COSMETIC — Function name typo in test

test_planner_critique_node_returns_plandner_critique_verdict — plandner should be planner. The test is collected and passes correctly; this is a readability issue only.

CARRY-OVER from #44 — EVTX_4624 and USNJRNL still absent from ArtifactClass

Not introduced by this PR, but not fixed either. Must be resolved before the caveat-validator PRs (W1.B.9/W1.B.10) merge.

Non-blocking overall if (a) mode parameter follow-up is logged and (b) the plandner typo is fixed.