feat(governance): add policy-as-code — .llm-security/policy.json for distributable hook configuration

New policy-loader.mjs reads .llm-security/policy.json with deep-merge against
defaults that exactly match existing hardcoded values. Integrated into all 7 hooks:
- pre-prompt-inject-scan: injection.mode (env var still takes precedence)
- post-session-guard: trifecta.mode, window_size, long_horizon_window
- pre-edit-secrets: secrets.additional_patterns
- pre-bash-destructive: destructive.additional_blocked
- pre-write-pathguard: pathguard.additional_protected
- pre-install-supply-chain: supply_chain.additional_blocked_packages
- post-mcp-verify: mcp.volume_threshold_bytes, mcp.trusted_servers

Backward compatible: no policy file = identical behavior to v5.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

plugins/llm-security/hooks/scripts/pre-bash-destructive.mjs

@@ -12,6 +12,7 @@
 
 import { readFileSync } from 'node:fs';
 import { normalizeBashExpansion } from '../../scanners/lib/bash-normalize.mjs';
+import { getPolicyValue } from '../../scanners/lib/policy-loader.mjs';
 
 // ---------------------------------------------------------------------------
 // BLOCK rules — exit 2, command is not executed.
@@ -78,6 +79,12 @@ const BLOCK_RULES = [
       'strings, which is a common code injection vector. Blocked. ' +
       'Refactor to use explicit commands instead.',
   },
+  // Policy-defined additional blocked patterns
+  ...getPolicyValue('destructive', 'additional_blocked', []).map(entry => ({
+    name: entry.name || 'Custom blocked pattern',
+    pattern: new RegExp(entry.pattern),
+    description: entry.description || 'Blocked by policy.',
+  })),
 ];
 
 // ---------------------------------------------------------------------------