Closes #1695

Summary

• Implements PolicyEnforcer — a deterministic pre-execution layer that evaluates TOML-based access-control rules before any tool executes, independently of prompt content
• PolicyGateExecutor wraps TrustGateExecutor as the outermost executor; generic error to LLM, trace details to audit log only
• Deny-wins semantics: all deny rules evaluated first, then allow rules, then default_effect
• Lexical path normalization via Path::components() prevents ../ traversal bypass (CRIT-01)
• Tool name normalization (lowercase + trim) on both rule compile and evaluation (CRIT-02)
• Audit log entry for every policy decision (allow and deny)
• policy-enforcer feature flag (optional, included in full)

Integration points

• [tools.policy] config section with enabled, default_effect, rules, policy_file
• --policy-file <path> CLI flag
• /policy check <tool> <args> and /policy status slash commands
• --init wizard step for policy configuration
• --migrate-config step inserts empty [tools.policy] in existing configs
• docs/src/advanced/policy-enforcer.md — full configuration reference

Test plan

• cargo nextest run -p zeph-tools --features policy-enforcer --lib — 670 tests pass
• Deep .. chain traversal test: /a/b/c/d/../../../../../../etc/passwd → /etc/passwd → Deny
• Deny-wins insertion-order independence: deny-first and deny-last both produce Deny
• cargo nextest run --workspace --features full --lib --bins — 5868 tests pass

Follow-up issues filed

• IMP-ALLOWIF-NOOP: PolicyEffect::AllowIf declared but behaves as Allow — implement or remove
• SEC-POLICY-FILE: load_policy_file() lacks symlink boundary check
• MED-ENV-LEAK-IN-TRACE: /policy check injects real env vars into trace context
• MED-POLICY-CHECK-TRUST-HARDCODED: hardcoded TrustLevel::Trusted in check command
• GAP-03/04/05: additional test coverage gaps for policy_file and boundary conditions