Context

PR #1870: load_policy_file() in policy.rs does not validate that the canonical path of the policy file stays within the project root, unlike load_instructions() which performs this check.

Risk

Low — policy_file is typically set by an administrator in config.toml. However, the inconsistency with the instruction file loader's security model is worth fixing for defense in depth.

Fix

Add symlink boundary check using the same pattern as load_instructions().