Plugin manager with checksum verification

[kortiene]

Context

v0.2 has built-in templates and disk-loaded user templates (~/.claw/templates/*.yaml) but no third-party plugin model. As soon as agents start sharing plugins / skills / runtime configurations, the supply chain risk is real: a malicious plugin in a template package could escape the agent boundary.

Source: docs/SPRINT_PLAN.md §8.

Acceptance criteria

• claw plugins install <source> installs into ~/.claw/plugins/<name>/.
• Each plugin manifest declares: name, version, sha256 of the bundle, signature (optional, see Template signing #9).
• Install verifies the sha256 against the manifest before unpacking; refuses on mismatch.
• claw plugins list shows installed plugins, their versions, and their checksum status.
• claw plugins remove <name> archives to ~/.claw/trash/plugins/<name>-<timestamp>/.
• Plugins can register: new templates (loaded after disk templates), new tools (gated by runtime policy from Runtime policy mutation: claw tools/skills allow|deny #1), and new audit handlers.
• CI test that installs a known-good plugin and one with a tampered checksum.

Out of scope

• A central plugin registry — assume direct git/HTTP URLs for v0.3.
• Sandboxing plugins from the host — they run in the operator's process; security scope is "verify what you install", not "contain it".

References

• docs/SPRINT_PLAN.md §8
• Related: Template signing #9 (template signing) is the natural follow-on for trust beyond checksums