Implement CG-009: static rule engine and risk scoring in @clawguard/scanner

[ysqander]

Motivation

• Deliver the CG-009 work item to provide a first-pass static rule engine that can determine whether a discovered skill should remain present on the machine.
• Add detection for high-risk patterns (exfiltration, staged downloads, prompt-injection, memory tampering, privilege escalation, obfuscation) so the daemon can make quarantine recommendations.
• Ship deterministic scoring and a simple recommendation model so downstream components can act (allow / review / block).

Description

• Replaced the scanner placeholder with a rule engine implementation in packages/scanner/src/index.ts, including rule metadata, evidence extraction, and a scanSkillSnapshot entrypoint while preserving createPlaceholderScanReport as a compatibility wrapper.
• Added first-pass rules for CG-RULE-EXFILTRATION, CG-RULE-PROMPT-INJECTION, CG-RULE-MEMORY-TAMPERING, CG-RULE-PRIVILEGE-ESCALATION, CG-RULE-OBFUSCATION, and CG-RULE-STAGED-DOWNLOAD, plus weighted severity scoring and a diversity bonus to compute a 0–100 risk score.
• Added unit tests in packages/scanner/src/index.test.ts covering benign snapshots, staged-download detection, and multi-category malicious examples, and wired a test script into packages/scanner/package.json.

Testing

• Ran pnpm install, pnpm build, and pnpm typecheck across the workspace and they all succeeded.
• Ran pnpm --filter @clawguard/scanner test and the scanner test suite passed (all scanner subtests succeeded).
• Ran full workspace pnpm test and observed a pre-existing environment-sensitive failure in packages/discovery test buildSkillSnapshot returns read-failed when a file cannot be read due to chmod/unreadable-file semantics in this execution environment (scanner changes do not cause this failure).

---

Codex Task