feat(sdk): extract SmartHopper.ProviderSdk + cryptographic provider trust model

[devin-ai-integration]

Description

Implements the full SmartHopper Provider SDK — Definitive Plan (phases 0 → 6) in one PR.

A standalone MIT-licensed SmartHopper.ProviderSdk assembly is extracted from SmartHopper.Infrastructure. Community provider authors can now compile against the SDK NuGet on a clean machine without cloning SmartHopper. On the host side, provider classification becomes purely cryptographic (strong-name + Authenticode + SHA-256 manifest — never file name or provider id), and runtime warnings for non-official providers are surfaced through the existing AIRuntimeMessage pipeline.

Phase 0 — Host abstractions

Eight host-injected interfaces in SmartHopper.ProviderSdk.Hosting/: IProviderTrustHost, IProviderRegistryHost, IPolicyPipelineHost, IContextProviderHost, IToolRegistryHost, IProviderSettingsStore, IProviderLogger, IProviderHttpClientFactory, IProviderDiagnostics. Static composition root ProviderSdkHost holds replaceable references with safe no-op defaults. AIProvider, AIRequestCall, AIRequestBase, SystemPromptBuilder, runtime-message helpers all consume ProviderSdkHost.* instead of SmartHopperSettings.Instance, ProviderManager.Instance, PolicyPipeline.Default, AIContextManager, or AIToolManager directly.

Phase 0.5 — Per-provider AssemblyLoadContext + SDK type-identity validation

ProviderAssemblyLoader loads provider DLLs into a dedicated AssemblyLoadContext that delegates shared assemblies (SmartHopper.ProviderSdk, SmartHopper.Infrastructure, Newtonsoft.Json, System.Drawing.Common) to the default ALC. Providers whose IAIProviderFactory type identity does not match the host's SDK are rejected with a clear diagnostic.

Phase 1 — SDK extraction with SmartHopper.ProviderSdk.* namespaces

• New src/SmartHopper.ProviderSdk/ project (net7.0;net7.0-windows, strong-named, XML docs, source link, MIT).
• All provider-facing types moved with new namespaces: contracts, base classes, AICall/Core/{Base,Interactions,Requests,Returns}, AICall/Metrics, minimal AICall/JsonSchemas, AICall/Batch/AIBatchTypes, AIModels/* (ModelManager consolidated into AIModelCapabilityRegistry), Settings/*, Streaming/*, Utils/*, runtime-message types, metadata attributes.
• SmartHopper.Infrastructure now references SmartHopper.ProviderSdk.
• All 6 in-tree providers (Anthropic, DeepSeek, Gemini, MistralAI, OpenAI, OpenRouter) migrated to SDK-only references.

Phase 2 — SemVer attributes + pre-activation compatibility check

SmartHopperProviderSdkVersionAttribute, BuiltAgainstSdkAttribute, MinHostSdkAttribute, SmartHopperProviderIdAttribute, SdkCompatibility.Check enforce BuiltAgainstSdk.MAJOR == HostSdk.MAJOR and HostSdk >= MinHostSdk at load. Mismatch ⇒ Invalid.

Phase 3 — Trust policy refactor

• ProviderClassifier produces Official | OfficialTampered | Community | Invalid from strong-name token + Authenticode (Windows) + SHA-256 manifest. File names and provider ids never affect classification.
• New SmartHopperSettings properties: AllowCommunityProviders (default false), BlockNonOfficialProviders (default false).
• New structured TrustedProviderRecord schema; legacy boolean TrustedProviders entries migrated automatically on first load.
• SmartHopperProviderTrustHost adapter wires ProviderManager ⇆ ProviderSdkHost.ProviderTrust so SDK validation can reason about trust without depending on Infrastructure singletons.

Phase 4 — Visible warnings

ProviderManager exposes IsProviderCommunity, IsProviderUnsigned, GetProviderClassification, GetProviderTrustRecord. AIRequestCall validation now emits runtime warning messages for community/unsigned providers in addition to the existing mismatched/unavailable/unknown warnings — these appear on every AI component using the affected provider.

Phase 5 — User-local discovery, duplicate id resolution, init isolation

• Discovery scans %AppData%/SmartHopper/Providers in addition to the app-local directory.
• Duplicate provider ids: subsequent registrations of an id already held by an Official provider are rejected.
• InitializeProviderAsync runs under a 30-second per-provider timeout; a hanging or crashing provider does not affect discovery of other providers.

Phase 6 — Docs, sample, CHANGELOG

• New docs/Providers/ProviderSdk.md covers contents/exclusions, target frameworks, MIT license, naming, minimal provider skeleton, SemVer/compat, trust model.
• docs/Providers/index.md and docs/Providers/ProviderManager.md updated to reflect the new cryptographic classification model, new settings, ALC, and accessor APIs.
• samples/SmartHopper.Providers.Sample/ ships a starter csproj + README that builds against SmartHopper.ProviderSdk only — a template for community authors.
• CHANGELOG.md updated under [Unreleased] with Added/Changed/Removed/Security sections.

Phase 4.3 — Provider IVTs removed

InternalsVisibleTo SmartHopper.Providers.* entries removed from SmartHopper.Infrastructure.csproj. Built-in providers now compile against the public SDK surface only, just like community providers.

Breaking Changes

• Provider-facing types moved to SmartHopper.ProviderSdk.* namespaces. All using SmartHopper.Infrastructure.AICall.*, using SmartHopper.Infrastructure.AIProviders.*, using SmartHopper.Infrastructure.AIModels.*, using SmartHopper.Infrastructure.Settings.* (for descriptor types), using SmartHopper.Infrastructure.Streaming.* using directives in external consumers must be updated to SmartHopper.ProviderSdk.*.
• TrustedProviders setting migrated. Legacy Dictionary<string,bool> entries are read once and re-encoded as TrustedProviderRecord entries. Existing user trust decisions are preserved; classification is filled in on next discovery.
• AllowCommunityProviders=false (default) blocks community providers from loading. Users currently relying on third-party SmartHopper.Providers.*.dll files dropped into the app folder must opt in via SmartHopperSettings.json (or settings dialog) to keep using them. This is a deliberate security gate.
• Provider InternalsVisibleTo removed. Any out-of-tree provider that was relying on SmartHopper.Infrastructure internals will fail to compile until it switches to the SDK public surface.

Testing Done

• dotnet build SmartHopper.Infrastructure -f net7.0 -c Debug — clean (0 errors, 0 warnings on the post-Phase-6 tree).
• dotnet build SmartHopper.sln -f net7.0 -c Debug /p:SignAssembly=true — all remaining errors are pre-existing environment issues (RhinoCodePlatform/IScriptComponent Rhino DLLs not resolvable on Linux; SmartHopper.Core.Grasshopper.Tests not restored locally). These do not surface on Windows CI.
• dotnet build SmartHopper.Infrastructure.Tests -f net7.0 -c Debug — clean (0 errors).
• Manual review of every file in the touched namespaces for correctness of the namespace migration, SDK API surface boundaries, and IVT removal.

CI (Windows + macOS) will validate the full solution once this PR is opened.

Checklist

• This PR is focused on a single feature or bug fix
• Version in Solution.props was updated, if necessary, and follows semantic versioning
• CHANGELOG.md has been updated
• PR title follows Conventional Commits format
• PR description follows Pull Request Description Template

Link to Devin session: https://app.devin.ai/sessions/3459a4436b2644158a53428a956c9a32
Requested by: @marc-romu

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring