Policy engine: LLM advisory, artifact registry lookup, egress allowlist

[jeremymanning]

Description

Three TODO items remain in the 10-step deterministic policy engine:

1. LLM advisory flag (src/policy/engine.rs line ~196): Wire the LLM advisory when mesh LLM is available. Currently the field is set but the advisory system is not connected.
2. Artifact registry lookup (src/policy/rules.rs line ~111): Full CID lookup against ApprovedArtifact registry. The structural gate exists but actual CID resolution is stubbed.
3. Egress allowlist (src/policy/rules.rs line ~197): Add endpoint allowlist field to JobManifest and validate declared endpoints against approved list.

Requirements

• Artifact registry: resolve CIDs against the ApprovedArtifact registry, verify signer ≠ approver (separation of duties), check release channel validity
• Egress allowlist: add allowed_endpoints: Vec<String> field to JobManifest, validate each against a configurable approved endpoint list, reject undeclared endpoints
• LLM advisory: when mesh LLM is available, route manifest through advisory classification; advisory is non-authoritative (cannot override deterministic engine)

Success Criteria

• Artifact CIDs are resolved and verified against the registry before dispatch
• Jobs declaring network endpoints are validated against approved list
• Jobs with undeclared endpoints are rejected by the policy engine
• LLM advisory flag is populated when mesh LLM is available
• Integration tests for all three policy steps
• cargo test and cargo clippy pass

Testing (Principle V)

• Submit job with valid artifact CID → accepted
• Submit job with unknown CID → rejected with clear error
• Submit job with approved egress endpoints → accepted
• Submit job with unapproved endpoint → rejected
• Test separation of duties: same identity as signer+approver → rejected

[jeremymanning]

Addressed in spec 004-full-implementation (PR #59). Implementation verified in code; 802 tests passing across Linux/macOS/Windows. See #57 master plan for full context.