Policy engine

[Abiorh001]

Summary
Major refactor to simplify nanopayments by removing NanoKeyVault and adopting direct private key mode, derive CAIP-2 network strictly from OMNICLAW_NETWORK via network_to_caip2, add comprehensive agent API endpoints, and apply Ruff-driven lint cleanup across the codebase.

Breaking Changes

• Removed OMNICLAW_NANOPAYMENTS_DEFAULT_NETWORK - Nanopayment CAIP-2 is now derived from OMNICLAW_NETWORK via network_to_caip2()
• Removed NanoKeyVault - Replaced with direct private key mode (NanopaymentAdapter.from_private_key())
• Removed entity_secret requirement - Now uses OMNICLAW_PRIVATE_KEY for nanopayment signing
• Removed vault property - client.vault no longer exists

Core Changes
Network Derivation (src/omniclaw/core/types.py, src/omniclaw/core/config.py)

• network_to_caip2() now handles all CAIP-2 derivation from OMNICLAW_NETWORK
• Non-EVM networks return None with clear error messages
• Removed nanopayments_default_network config field
• Added nanopayments_private_key for direct private key mode

Client (src/omniclaw/client.py)

• Added _nanopayment_network() method deriving CAIP-2 from config
• Removed NanoKeyVault dependency entirely
• Uses NanopaymentAdapter.from_private_key() for direct key mode
• Added get_gateway_balance() method using on-chain calls
• Added HTTP security checks for localhost/private networks

Agent Server (src/omniclaw/agent/server.py)

• Uses network_to_caip2() for nanopayment network

• Reads OMNICLAW_NETWORK from environment

• Added policy hot-reload loop

• Sync wallet initialization (blocking) for direct key mode
  Agent Routes (src/omniclaw/agent/routes.py)

• Added /nano-address - Get nanopayment EOA address

• Added /balance-detail - Detailed balance including Gateway

• Added /deposit - Deposit USDC to Gateway

• Added /withdraw - Withdraw from Gateway via Circle API

• Added /withdraw-trustless - Trustless on-chain withdrawal

• Added /deposit-address - Get EOA for external deposits

• Added /confirmations/{id} - Confirmation management endpoints

• Updated /x402/verify - Real implementation that settles payments

• Updated /x402/pay - Uses client.pay() for automatic routing

• Added require_owner() for privileged endpoints
  Guards (src/omniclaw/guards/)

• Added confirmations.py - New confirmation store for payment approvals
  Policy Engine (src/omniclaw/agent/policy.py)

• Major refactor with wallet-per-agent support

• Per-wallet limits and recipient validation

• Multiple wallet configuration support

Documentation Updates

• README.md - Added Gateway CAIP-2 derivation note
• docs/API_REFERENCE.md - Added nanopayments network derivation note
• docs/SDK_USAGE_GUIDE.md - Added Gateway CAIP-2 note
• docs/FEATURES.md - Added CAIP-2 derivation and EVM-only note

Test Cleanup (Ruff-driven)

• Removed bare except: clauses
• Fixed import ordering
• Updated class names to PascalCase
• Added exception specificity
• Removed unused imports
• Updated tests to not use removed config