SPDD follow-ups: guard-policy integration coverage, aw.yml version/metadata schema, and spec sync updates

[Copilot]

This PR implements the SPDD queue items for 2026-05-30 by closing documentation/code drift across guard policies, package manifest constraints, and access-control/safe-output spec gaps. It adds missing guard-policy compilation coverage and aligns aw.yml validation with newly specified manifest fields.

• Guard policy end-to-end coverage

  • Added integration-style compilation test to validate guard policy propagation into compiled lock workflows:
    • pkg/workflow/tools_guard_policy_integration_test.go
  • Confirms compiled output contains guard policy envelope and expected allow-only fields.

• Repository package manifest: new fields + version ceiling

  • Extended schema and parser support for:
    • max-version
    • license
    • tags (bounded list/string length)
    • categories (enum)
  • Added cross-field version constraint validation (min-version cannot exceed max-version).
  • Updated parser helpers for clearer semantics and documented slice parsing behavior.

• Manifest test coverage expansion

  • Added parser/compile tests for:
    • compatible/incompatible max-version
    • invalid min-version > max-version
    • accepted/rejected metadata fields (license/tags/categories)
    • string-slice field parsing edge cases

• Spec synchronization updates

  • repository-package-manifest-specification.md
    • Added max-version, metadata fields, validation rules, and package lifecycle section (gh aw add|update|remove) with normative requirements.
  • model-alias-specification.md
    • Expanded §12 compliance matrix coverage and changelog alignment for ?effort= / ?temperature=.
  • guard-policies-specification.md
    • Replaced Open Questions with Decisions (Accepted/Deferred/Out-of-scope).
  • github-mcp-access-control-specification.md
    • Added config-reload/stale-config safeguards.
  • safe-outputs-specification.md
    • Added §10 execution-guarantee audit note with explicit gap markers.

if manifest.MinVersion != "" && manifest.MaxVersion != "" && semverutil.Compare(manifest.MinVersion, manifest.MaxVersion) > 0 {
	return nil, nil, fmt.Errorf(
		"invalid Agentic Workflow manifest %q: min-version %q cannot be greater than max-version %q",
		manifestPath, manifest.MinVersion, manifest.MaxVersion,
	)
}