feat: pin constitution hash and manifest evidence

40-rules/governance_constitution_pinned.sh

@@ -7,8 +7,14 @@ EVID_DIR="${1:?usage: governance_constitution_pinned.sh <evidence_dir>}"
 TS="$(iso_utc_now)"
 FILE="$EVID_DIR/constitution_hash.json"
 
+ROOT="$(vmcc_root)"
+PIN_FILE="${VMCC_PINS_FILE:-$ROOT/config/pins.yaml}"
 PINNED_SHA256="${VMCC_PINNED_CONSTITUTION_SHA256:-}"
 
+if [[ -z "$PINNED_SHA256" && -f "$PIN_FILE" ]]; then
+  PINNED_SHA256="$(awk -F': *' '/^constitution_sha256:/ {print $2}' "$PIN_FILE" | tr -d '"' | tr -d "'" | head -n 1)"
+fi
+
 if [[ ! -f "$FILE" ]]; then
   json_emit "$(jq -n --arg ts "$TS" '{
     version:"1.0.0",