feat(policy): validate agent-authored proposals

[zredlined]

Summary

Wire agent-authored policy proposals through gateway-side prover validation before they land in the draft inbox. The validation result is intentionally scoped: it reports prover findings for the supported policy surface, distinguishes narrow L7 proposals from broad L4 proposals, and returns validation unavailable when the effective policy uses features the prover does not model yet.

Related Issue

Closes #1097
Refs #1062

Changes

• Add openshell-prover as a gateway dependency for proposal-time validation.
• Validate each analysis_mode = agent_authored proposal against the current effective policy plus the proposed rule, including providers-v2 policy composition when enabled.
• Store concise validation strings on draft chunks, including scope evidence such as narrow L7 method/path scope, needs human: L4/no method-path scope, or validation unavailable for unsupported prover inputs.
• Treat policies containing L7 deny_rules as unsupported by the current prover instead of emitting a misleading pass verdict.
• Print Validation: in openshell rule get so the prover result is visible in the developer approval path.
• Update the agent-driven policy management demo and README to show the prover verdict as part of the workflow.
• Add tests for narrow L7 pass, broad L4 finding, deny-rule unsupported behavior, providers-v2 effective-policy composition, and agent-authored redraft dedup behavior.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Additional detail:

• cargo fmt --check
• cargo test -p openshell-server --lib agent_authored -- --nocapture
• cargo test -p openshell-server --lib grpc::policy::tests -- --nocapture
• cargo clippy -p openshell-server --lib --tests -- -D warnings
• cargo clippy -p openshell-cli --lib --tests -- -D warnings
• cargo test -p openshell-cli --lib -- --nocapture
• bash -n examples/agent-driven-policy-management/demo.sh
• mise run pre-commit completed Rust workspace tests, clippy, cargo check, Python checks, Helm lint, license check, and Mermaid lint; it failed only on existing local ignored architecture/plans/*.md markdownlint errors that are not part of this PR.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.