feat(ontology): W3C SHACL validation + PROV-O provenance (PRD-022)

Implements the Semantic Trust Layer across WS-0 through WS-5:

- WS-0: Five SHACL shapes (knowledge-node, ontology-class, agent-node,
  bridge-record, inferred-axiom) in crates/visionclaw-ontology/shapes/
- WS-1: Dual-mode SHACL gate (Enforcing/Advisory) with severity mapping
- WS-2: PROV-O reification emitter — every JSON-LD ingest and BC20
  crossing produces queryable provenance triples in Oxigraph
- WS-5: /api/ontology-physics/trust-status liveness canary
- SPARQL migrations 0002/0003 bootstrap shapes and provenance graphs
- ADR-127 accepted, PRD-022 evidence gate wired, DDD context added
- WS-3/WS-4 (relay-mediated SPARQL federation) deferred to Phase 2

Co-Authored-By: jjohare <github@thedreamlab.uk>

Author: jjohare

README.md

@@ -25,7 +25,7 @@ https://github.com/user-attachments/assets/f45c92dc-4800-4b57-a6e2-178da6bb0a38
 
 ---
 
-**92 CUDA kernels · GPU clustering, anomaly detection and PageRank · Multi-user immersive XR · 88 agent skills · OWL 2 ontology governance · Nostr DID identity · Solid Pod sovereignty**
+**92 CUDA kernels · GPU clustering, anomaly detection and PageRank · Multi-user immersive XR · 88 agent skills · OWL 2 + SHACL ontology governance · W3C PROV-O provenance · Nostr DID identity · Solid Pod sovereignty**
 
 ---
 
@@ -119,7 +119,7 @@ flowchart TB
 
     subgraph Layer2["LAYER 2 — ORCHESTRATION"]
         Skills["88 Agent Skills\nClaude-Flow DAG Pipelines"]
-        Ontology["OWL 2 EL Reasoning\nWhelk-rs Inference Engine"]
+        Ontology["OWL 2 EL + SHACL\nWhelk-rs + PROV-O"]
         MCP["17 MCP Tools\nKnowledge Graph Read/Write"]
         GPU["GPU Compute\n92 CUDA Kernels"]
     end
@@ -147,6 +147,8 @@ flowchart TB
 
 **Semantic Governance**
 - OWL 2 EL reasoning via Whelk-rs (EL++ inference)
+- W3C SHACL shape validation — dual-mode gate (enforcing on writes, advisory on reads)
+- W3C PROV-O provenance reified as queryable RDF in an append-only named graph
 - `subClassOf` → attraction, `disjointWith` → repulsion in GPU physics
 - Every ontology mutation creates a GitHub PR — human veto before commit
 - Content-addressed immutable provenance beads (Nostr)
@@ -676,7 +678,7 @@ Each context has its own aggregate roots, domain events, and anti-corruption lay
 | **Graph Store** | Oxigraph + SQLite | ADR-11 canonical persistence (SPARQL triple store) |
 | **Vector Memory** | RuVector PostgreSQL · pgvector | 1.17M+ entries · HNSW 384-dim · MiniLM-L6-v2 · 61µs search |
 | **GPU** | CUDA 13.1 · cudarc | 92 kernel functions · 6,585 LOC · PTX ISA auto-downgrade |
-| **Ontology** | OWL 2 EL · Whelk-rs | EL++ subsumption · consistency checking |
+| **Ontology** | OWL 2 EL · Whelk-rs · SHACL | EL++ subsumption · consistency checking · W3C shape validation · PROV-O provenance |
 | **Multi-User** | Vircadia World Server | Avatar sync · spatial HRTF audio · collaborative editing |
 | **Voice** | LiveKit SFU · turbo-whisper · Kokoro | CUDA STT · TTS · Opus 48kHz · 4-plane routing |
 | **Identity** | Nostr NIP-07/NIP-98 · DID:Nostr | Browser extension signing · NIP-26 delegation · W3C key rotation |

agentbox

@@ -0,0 +1,21 @@
+# Migration 0002: Bootstrap the SHACL shapes named graph (PRD-022 WS-0).
+#
+# Creates urn:ngm:graph:shapes and loads a sentinel triple so the graph
+# is discoverable via SPARQL ASK. The actual shape triples are loaded
+# programmatically from the embedded .ttl files at startup — this
+# migration only ensures the graph exists and is queryable.
+#
+# Idempotent: INSERT DATA is additive; re-running is a no-op if the
+# sentinel already exists.
+
+INSERT DATA {
+    GRAPH <urn:ngm:graph:shapes> {
+        <urn:ngm:shape:catalogue>
+            <http://www.w3.org/1999/02/22-rdf-syntax-ns#type>
+            <http://www.w3.org/ns/shacl#Schema> .
+
+        <urn:ngm:shape:catalogue>
+            <http://www.w3.org/2000/01/rdf-schema#comment>
+            "SHACL shape catalogue for VisionClaw domain types (PRD-022)." .
+    }
+}

crates/visionclaw-adapters/migrations/sparql/0002_bootstrap_shapes_graph.rups

@@ -0,0 +1,23 @@
+# Migration 0003: Bootstrap the PROV-O provenance named graph (PRD-022 WS-2).
+#
+# Creates urn:ngm:graph:provenance as an append-only audit trail for
+# reified PROV-O activity triples. The sentinel triple marks the graph
+# as a provenance container.
+#
+# INVARIANT: This graph accepts only INSERT DATA. No DELETE, DROP, or
+# CLEAR operations are permitted against it. Enforcement is at the
+# handler level (validate_read_only_sparql + provenance-specific guard).
+#
+# Idempotent: INSERT DATA is additive.
+
+INSERT DATA {
+    GRAPH <urn:ngm:graph:provenance> {
+        <urn:ngm:provenance:catalogue>
+            <http://www.w3.org/1999/02/22-rdf-syntax-ns#type>
+            <http://www.w3.org/ns/prov#Collection> .
+
+        <urn:ngm:provenance:catalogue>
+            <http://www.w3.org/2000/01/rdf-schema#comment>
+            "Append-only PROV-O provenance trail for VisionClaw (PRD-022)." .
+    }
+}

crates/visionclaw-adapters/migrations/sparql/0003_bootstrap_provenance_graph.rups

@@ -42,3 +42,8 @@ pub use sparql_migrations::{run_pending as run_sparql_migrations, MigrationError
 // WS-1 / ADR-100 — standards-grade RDF round-trip serialisation over oxigraph's
 // bundled oxrdfio (Turtle / JSON-LD / N-Quads). No new dependency.
 pub mod rdf_serializer;
+
+// PRD-022 WS-2 — PROV-O provenance reification emitter. Reifies activity
+// URNs as RDF triples in the append-only urn:ngm:graph:provenance graph.
+pub mod provenance_emitter;
+pub use provenance_emitter::{reify_activity, ActivityRecord, ProvenanceError};

crates/visionclaw-adapters/src/lib.rs

@@ -48,6 +48,12 @@ pub const GRAPH_ONTOLOGY_INFERRED: &str = "urn:ngm:graph:ontology:inferred";
 pub const GRAPH_KNOWLEDGE: &str = "urn:ngm:graph:knowledge";
 pub const GRAPH_AGENT: &str = "urn:ngm:graph:agent";
 
+/// PRD-022 trust-layer named graphs.
+/// `:shapes` holds W3C SHACL shape triples loaded from .ttl files at startup.
+/// `:provenance` holds append-only PROV-O activity triples (reified provenance).
+pub const GRAPH_SHAPES: &str = "urn:ngm:graph:shapes";
+pub const GRAPH_PROVENANCE: &str = "urn:ngm:graph:provenance";
+
 /// WS-9 derived named graphs. These are the ONLY graphs writable through the
 /// fenced `/api/ontology/derived` path: `:summary` holds approval-driven
 /// summary triples (broker write-back consequences), `:observed` holds