Policy overhaul: flat gate replaces rules engine

The policy system has been rebuilt around a single flat policy table and PolicyManager, replacing the old policy_service and policy_rules. All gate checks now flow through PolicyManager.wrap(), which provides lazy ask, escalation, shared block, and REST seeding.

A boot migration creates and seeds the new policy table before convergence, copying from static policy_defaults.json. The schema adds the flat table while the old rules table is retained until the cutover is complete.

MCP tool gating is now handled lazily by PolicyManager.wrap() instead of a pre‑loaded policy seed. The Ability.dispatch path has been removed; tool calls route through use→match→wrap→execute with MCP gated inside _MCPAbility.

In the act-loop, discovered_tools has been collapsed into ACTIVE_TOOLS names, seeded once during _setup and extended by find_tools. The Brain Policies UI now renders flat rows without client‑side pivoting.

Tests now seed the policy table in the shared DB fixture to mirror production boot, preventing internal system actions from hitting an empty table and escalating to deny. Several test marks were adjusted to run in the gate.

• Deleted policy_service and policy_rules; PolicyManager is the sole enforcement point

• Added flat policy table with boot migration, static seed, and REST endpoints (GET, upsert PUT, reset)

• MCP tools gated lazily via PolicyManager.wrap; Ability.dispatch removed

• Act-loop uses single ACTIVE_TOOLS names list, seeded in _setup

• Test fixtures now seed the policy table to match production behaviour