feat(governance): add policy-as-code — .llm-security/policy.json for distributable hook configuration

New policy-loader.mjs reads .llm-security/policy.json with deep-merge against
defaults that exactly match existing hardcoded values. Integrated into all 7 hooks:
- pre-prompt-inject-scan: injection.mode (env var still takes precedence)
- post-session-guard: trifecta.mode, window_size, long_horizon_window
- pre-edit-secrets: secrets.additional_patterns
- pre-bash-destructive: destructive.additional_blocked
- pre-write-pathguard: pathguard.additional_protected
- pre-install-supply-chain: supply_chain.additional_blocked_packages
- post-mcp-verify: mcp.volume_threshold_bytes, mcp.trusted_servers

Backward compatible: no policy file = identical behavior to v5.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

plugins/llm-security/hooks/scripts/pre-write-pathguard.mjs

@@ -11,6 +11,7 @@
 
 import { readFileSync } from 'node:fs';
 import { basename, normalize, resolve } from 'node:path';
+import { getPolicyValue } from '../../scanners/lib/policy-loader.mjs';
 
 // ---------------------------------------------------------------------------
 // Sensitive path patterns — 8 categories
@@ -68,6 +69,9 @@ const SETTINGS_FILES = [
   'settings.local.json',
 ];
 
+/** Category 9: Policy-defined additional protected paths */
+const POLICY_PATTERNS = getPolicyValue('pathguard', 'additional_protected', []).map(p => new RegExp(p));
+
 // ---------------------------------------------------------------------------
 // Path classification
 // ---------------------------------------------------------------------------
@@ -142,6 +146,13 @@ function classifyPath(filePath) {
     }
   }
 
+  // Category 9: Policy-defined additional protected paths
+  for (const pat of POLICY_PATTERNS) {
+    if (pat.test(norm)) {
+      return { blocked: true, category: 'policy', reason: `Policy-protected path: ${norm}` };
+    }
+  }
+
   return { blocked: false, category: '', reason: '' };
 }