fix(ci): temporary clawhub publish workaround for MIT-0 consent (#117)

* fix(ci): patch clawhub publish payload for temporary MIT-0 consent workaround

* fix(ci): make clawhub publish patch self-contained for tag republish

* fix(clawsec-nanoclaw): harden signature verification boundaries

* chore(clawsec-nanoclaw): bump version to 0.0.3

* fix(clawsec-nanoclaw): normalize integrity policy and baseline paths

skills/clawsec-nanoclaw/INSTALL.md

@@ -140,6 +140,8 @@ From within a NanoClaw agent session, the following tools should be available:
 
 **Signature Verification** (mcp-tools/signature-verification.ts):
 - `clawsec_verify_skill_package` - Verify Ed25519 signature on skill packages
+  - Uses pinned ClawSec public key (no runtime key override)
+  - Accepts staged package/signature paths only under `/tmp`, `/var/tmp`, `/workspace/ipc`, `/workspace/project/data`, `/workspace/project/tmp`, `/workspace/project/downloads`
 
 **Integrity Monitoring** (mcp-tools/integrity-tools.ts):
 - `clawsec_check_integrity` - Check protected files for unauthorized changes