feat(pip): add PolicyClient for RFC-005 PDP integration (Option B) (#10)

* feat(pip): add PolicyClient for RFC-005 PDP integration via gRPC

Option B architecture: delegates all PDP decision logic to Go core's
EvaluatePolicyDecision RPC. Python SDK handles obligation execution
(context-dependent) and response propagation.

New files:
- capiscio_mcp/pip.py: PolicyClient, PIPConfig, PolicyResult, Obligation
  - PolicyClient.evaluate() builds request, calls gRPC, parses response
  - PolicyResult.execute_obligations() dispatches to registered handlers
  - PolicyResult.allowed/denied/pdp_error convenience properties

- tests/test_pip.py: 23 tests covering:
  - PolicyResult properties (allowed/denied/pdp_error)
  - Obligation dataclass and execution
  - PIPConfig defaults and custom values
  - PolicyClient gRPC integration (mock): allow, deny, observe, cache,
    break-glass, obligations, bad JSON, request field fidelity

Proto updates:
- Regenerated gen/ stubs from capiscio-core feature/rfc005-pdp-rpc proto
  (adds EvaluatePolicyDecision RPC + 6 new message types)
- Updated hand-written stubs with matching dataclasses for IDE support

* fix: align proto with capiscio-core breakglass_public_key (bytes)

- Regenerated proto stubs from capiscio-core main (PR #43 merged)
- PolicyConfig.breakglass_public_key_path (string) → breakglass_public_key (bytes)
- Updated PIPConfig, PolicyClient.evaluate(), and tests
- Fixed regenerated grpc stub import path

* fix: address PR review comments

- Remove Obligation.id (MCPObligation proto has no id field)
- Validate json.loads returns dict before using as params
- Downgrade grpcio version check from RuntimeError to RuntimeWarning
- Update tests to match proto shape (no id field on obligations)

Author: beonde

capiscio_mcp/_proto/capiscio/v1/mcp_pb2.py

@@ -177,3 +177,75 @@ class HealthResponse:
     core_version: str = ""
     proto_version: str = ""
     version_compatible: bool = True
+
+
+# =============================================================================
+# RFC-005: Policy Decision Messages
+# =============================================================================
+
+@dataclass
+class PolicySubject:
+    """Subject attributes for policy evaluation."""
+    did: str = ""
+    badge_jti: str = ""
+    ial: str = ""
+    trust_level: str = ""
+    badge_exp: int = 0
+
+
+@dataclass
+class PolicyAction:
+    """Action attributes for policy evaluation."""
+    operation: str = ""
+    capability_class: str = ""
+
+
+@dataclass
+class PolicyResource:
+    """Resource attributes for policy evaluation."""
+    identifier: str = ""
+
+
+@dataclass
+class PolicyConfig:
+    """PEP-level configuration for the policy decision."""
+    pdp_endpoint: str = ""
+    pdp_timeout_ms: int = 0
+    enforcement_mode: str = ""
+    pep_id: str = ""
+    workspace: str = ""
+    breakglass_public_key: bytes = b""
+
+
+@dataclass
+class PolicyDecisionRequest:
+    """Request message for EvaluatePolicyDecision RPC."""
+    subject: Optional[PolicySubject] = None
+    action: Optional[PolicyAction] = None
+    resource: Optional[PolicyResource] = None
+    config: Optional[PolicyConfig] = None
+    breakglass_token: str = ""
+
+
+@dataclass
+class MCPObligation:
+    """Obligation from policy decision."""
+    type: str = ""
+    params_json: str = ""
+
+
+@dataclass
+class PolicyDecisionResponse:
+    """Response from centralized policy decision."""
+    decision: str = ""
+    decision_id: str = ""
+    reason: str = ""
+    ttl: int = 0
+    obligations: List["MCPObligation"] = field(default_factory=list)
+    enforcement_mode: str = ""
+    cache_hit: bool = False
+    breakglass_override: bool = False
+    breakglass_jti: str = ""
+    error_code: str = ""
+    pdp_latency_ms: int = 0
+    txn_id: str = ""

capiscio_mcp/_proto/capiscio/v1/mcp_pb2_grpc.py

@@ -44,6 +44,18 @@ async def EvaluateToolAccess(
         """
         raise NotImplementedError("Stub - replace with generated code")
 
+    async def EvaluatePolicyDecision(
+        self,
+        request: "mcp_pb2.PolicyDecisionRequest",
+    ) -> "mcp_pb2.PolicyDecisionResponse":
+        """
+        Evaluate policy decision (RFC-005).
+        
+        Centralized PDP decision logic. Returns policy outcome
+        including obligations — never raises gRPC errors for PDP issues.
+        """
+        raise NotImplementedError("Stub - replace with generated code")
+    
     async def VerifyServerIdentity(
         self,
         request: "mcp_pb2.VerifyServerIdentityRequest",
@@ -87,6 +99,14 @@ async def EvaluateToolAccess(
         """Evaluate tool access (RFC-006)."""
         raise NotImplementedError("Method not implemented!")
 
+    async def EvaluatePolicyDecision(
+        self,
+        request: "mcp_pb2.PolicyDecisionRequest",
+        context: "grpc.aio.ServicerContext",
+    ) -> "mcp_pb2.PolicyDecisionResponse":
+        """Evaluate policy decision (RFC-005)."""
+        raise NotImplementedError("Method not implemented!")
+    
     async def VerifyServerIdentity(
         self,
         request: "mcp_pb2.VerifyServerIdentityRequest",