examples: add payment guard evidence export bundle

[safal207]

Closes #151

What this adds

Two new files:

scripts/export_payment_guard_evidence.py

Portable evidence export script. Zero new dependencies (stdlib only).

python3 scripts/export_payment_guard_evidence.py --out proofpath-evidence-bundle/

Produces:

proofpath-evidence-bundle/
  audit.jsonl
  replay-store.json
  payment_guard_service_config.json
  payment_policy.json
  verification_report.json

verification_report.json fields:

• generated_at — ISO 8601 UTC timestamp
• bundle_type — "agent-payment-guard-evidence"
• audit_records_count — number of records in audit.jsonl
• replay_store_nonces — number of spent nonces in replay-store.json
• hash_chain_valid — bool, result of inline chain verification
• hash_chain_message — human-readable chain status
• source_files — original paths of each input
• copied_files — list of files written into the bundle

Behavior:

• Missing audit.jsonl → hard fail with clear error message
• Missing replay-store.json → exports empty {} with a warning (pre-Add persistent replay store for signed intent nonces #149 migration path)
• Output dir created if absent; existing files overwritten
• Hash-chain invalid → warning logged, hash_chain_valid: false in report (export still completes)

examples/agent-payment-guard/run_evidence_export_check.sh

Smoke test: spins up service → sends one valid ACCEPT → stops service → runs export → verifies bundle structure + report fields → re-runs verify_audit_log.py against bundled audit.jsonl.

Validation target

bash examples/agent-payment-guard/run_demo_check.sh
bash examples/agent-payment-guard/run_service_check.sh
python3 scripts/export_payment_guard_evidence.py --out proofpath-evidence-bundle/
python3 scripts/verify_audit_log.py proofpath-evidence-bundle/audit.jsonl
bash examples/agent-payment-guard/run_evidence_export_check.sh

Non-goals

No cloud upload, no zip/tar, no signing, no SQLite, no new dependencies.

[safal207]

PR looks good and mostly matches #151: stdlib-only export script, inline hash-chain verification, deterministic missing replay-store behavior, verification_report.json with the requested fields, and a smoke check that verifies the produced bundle.

One small blocking gap before merge: the issue acceptance criteria includes:

Docs mention how to export and inspect the bundle.

Please add a short section to docs/agent-payment-guard-service.md or another appropriate docs page with:

python3 scripts/export_payment_guard_evidence.py --out proofpath-evidence-bundle/
python3 scripts/verify_audit_log.py proofpath-evidence-bundle/audit.jsonl

Also mention the output files:

audit.jsonl
replay-store.json
payment_guard_service_config.json
payment_policy.json
verification_report.json

Optional but useful: add this to the local validation block:

bash examples/agent-payment-guard/run_evidence_export_check.sh

After that, #152 should be merge-ready. Keep the non-goals as-is: no cloud upload, no archive packaging requirement, no signing, no SQLite, no wallets/SDK/RPC/JWS/EIP-712.