feat(llm-security): v7.0.0 commit 3 — policy-driven entropy thresholds

Adds entropy section to DEFAULT_POLICY and wires it into entropy-scanner.
Users can now tune false-positive tradeoffs without forking the scanner.

Policy shape (.llm-security/policy.json):
  entropy:
    thresholds.{critical,high,medium}.{entropy,minLen}  — numeric overrides
    suppress_extensions[]                               — additive ext skip
    suppress_line_patterns[]                            — additional regex
    suppress_paths[]                                    — relPath substrings

Wiring: entropy-scanner calls loadPolicy(targetPath) at scan entry (not
orchestrator-passed — avoids signature churn across 10 scanners). Module-
level state is reset per scan invocation. Scanner envelope now includes
calibration.{policy_source, thresholds, files_skipped_by_*} for
synthesizer transparency (Commit 5).

Malformed user regex silently skipped. Missing policy.json → built-in
defaults (backwards-compatible).

entropy.test.mjs: 9/9 still green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

plugins/llm-security/scanners/lib/policy-loader.mjs

@@ -50,6 +50,19 @@ const DEFAULT_POLICY = Object.freeze({
     failOn: null,
     compact: false,
   },
+  entropy: {
+    thresholds: {
+      critical: { entropy: 5.4, minLen: 128 },
+      high:     { entropy: 5.1, minLen: 64 },
+      medium:   { entropy: 4.7, minLen: 40 },
+    },
+    // User-extensible extension skip list — merged with built-in defaults.
+    suppress_extensions: [],
+    // Additional line-level regex sources (string or array of strings compiled at load).
+    suppress_line_patterns: [],
+    // Substring matches against relative path — plain contains, no glob.
+    suppress_paths: [],
+  },
 });
 
 // Cache loaded policy per project root