Harden PolicyFabric hook boundary

[mdheller]

Summary

Implements the first concrete tranche for #30: the local PolicyFabric hook now carries an explicit policy-only decision boundary, and tests reject collapsed policy → runtime/authority/state behavior.

Adds / changes

• src/sourceos_syncd/policy.py
  • adds DecisionBoundary with:
    • decision_scope=policy-only
    • runtime_effect_performed=false
    • authority_mutation_performed=false
    • state_repair_performed=false
    • ledger_write_performed=false
    • downstream refs to sourceos-spec#113 and sourceos-syncd#30
  • includes decision_boundary in every policy decision payload;
  • validates the boundary before report-policy decisions are counted or summarized.
• tests/test_policy_hook.py
  • asserts policy decisions carry policy-only boundary fields;
  • rejects collapsed runtime-effect and authority-mutation claims;
  • confirms State Integrity Report samples carry the boundary.
• docs/policy-fabric-hook.md
  • documents policy-only scope and the hard chain:
    • observation/report input = evidence
    • policy decision = local/remote policy evaluation
    • runtime effect = separate admission/effect decision
    • authority/grant mutation = separate registry/grant-state decision
    • state integrity report = evidence/report only

Boundary

This PR does not add a live PolicyFabric client, runtime-effect execution, grant/authority mutation, state repair, ledger write, replication, bridge export, or memory writeback. It only hardens the local decision shape and validation posture.

Closes #30.
Depends conceptually on SourceOS-Linux/sourceos-spec#113.