v0.5.0

• Stabilizes the approval-helper opener test. Replaces a brittle assertNotIn("pwd", ...) substring scan — which false-positived whenever the temp-dir path contained pwd — with a deterministic check that parses the AppleScript do script body and asserts it launches only the approval-helper invocation, preserving the original intent (the requested command is never executed by the opener). No production behavior change.

• Replaces the PydanticAI example with a real, deterministic, offline end-to-end dogfood. A FunctionModel-driven agent loop exercises the full path — agent → PermissionGateway → real temp-dir file I/O → scoped delegation → hash-chained audit → audit verification — across four scenarios (safe USER_DIRECT allow; sensitive write held at REQUIRE_APPROVAL then allowed via a delegation token; blocked exfiltration denied; audit chain verified). The LLM is a deterministic test double (no key, no network); the gateway/delegation/audit path and file I/O are real. Adds a pydantic-ai examples optional extra (never a runtime dependency) and a dedicated CI job; the example test skips cleanly when the extra is absent.

• Positioning: clarifies engine vs. demo executor. Documents Agent_Sudo as an authorization/approval/delegation/audit engine whose primary integration is embedding the library in your agent; the MCP server is a distribution channel and reference demo. The MCP write_file (scoped to /tmp/agent-sudo-demo) and run_shell_command (narrow allowlist) tool descriptions now state plainly that they are demo executors, not a turnkey way to mediate a client's real file/shell tools. README "Choose Your Path", the Claude Desktop guide, and the security model are updated accordingly. No behavior change — labeling and docs only.

• Adds agent-sudo verify-routing, a read-only command that reports observed evidence of whether actions are flowing through Agent_Sudo: configuration state, observed gateway activity (audit record count, last record, decision histogram, hash-chain integrity), a best-effort scan of the client MCP config for agent-sudo and other bypass-capable servers, and the standing trust-boundary limits. It performs no probing, execution, or telemetry, and deliberately makes no aggregate "you are protected" claim — it can only report observed signals, not certify routing completeness.

• Security hardening: contradictory provenance is reconciled, not trusted. When a request asserts a source_trust higher than its source / origin_type evidence supports (e.g. source="webpage" or origin_type="EXTERNAL_CONTENT" paired with source_trust="USER_DIRECT"), the gateway now downgrades the trust to the most restrictive level the evidence supports (EXTERNAL_CONTENT/UNKNOWN) instead of honoring the inflated claim, and records an inconsistent_provenance reason on the decision and audit entry. Impact: such requests are escalated to REQUIRE_APPROVAL rather than allowed. Internally consistent provenance — including an explicit USER_DIRECT whose source/origin_type agree — is honored exactly as before. A consistently-forged USER_DIRECT remains a known limitation pending host attestation. See docs/architecture/security_model.md (Default Trust Posture).

• Security hardening (behavior change): missing provenance now fails closed. A request that does not assert a trust level — no source_trust, no provenance — is treated as UNKNOWN (untrusted) instead of USER_DIRECT. The change is applied at the MCP JSON-RPC boundary (tool_call_from_jsonrpc), the ActionRequest.from_dict path, and the ActionRequest constructor default. Impact: a SAFE action (e.g. read_file) arriving without provenance is now escalated to REQUIRE_APPROVAL rather than allowed silently. Clients/integrations that speak for the operator must attest provenance explicitly (source_trust="USER_DIRECT"); explicit trust is honored exactly as before. Self-attested USER_DIRECT remains believed — host attestation / nonce binding is tracked separately. See docs/architecture/security_model.md (Default Trust Posture).