Context

PR #1870 introduced PolicyEffect::AllowIf as a TOML-serializable variant, but the evaluator in policy.rs treats it identically to Allow (line ~301: rule.effect != PolicyEffect::Deny). The variant is dead/misleading code.

Options

1. Implement conditional semantics for AllowIf (e.g., require all non-tool conditions to pass)
2. Remove the variant and document that conditions are expressed via rule fields directly

Impact

Medium — confusing to users reading TOML examples, no security impact (it's permissive not restrictive).