cllama: PolicyEvaluator hook interface at the five interception points

[mostlydev]

Part of #302 (Phase 1). Blocked by ADR-025 (do not start until the contract is ratified).

What

Add an optional PolicyEvaluator to the cllama proxy, following the existing HandlerOption pattern (the same way feeds, cost tracking, and session history attach). When unset, behavior is bit-identical to today's passthrough — that property gets its own conformance test.

The five call sites (anchors in cllama/internal/proxy/handler.go)

1. Pre-flight gate — after bearer-token identity resolution + agent context load, before path-specific handling.
2. Tool filter — after tool manifest load, before managed tool injection into the request.
3. Prompt decoration — after feed/memory/time context injection, before dispatch candidate resolution.
4. Response gate — after upstream response, before egress to the runner (streaming semantics per ADR-025).
5. Drift/score log — after response recording; fire-and-forget telemetry enrichment.

Both ingress formats (OpenAI /v1/chat/completions and Anthropic /v1/messages) must pass through the same evaluator — the duplicated format paths are the main implementation hazard.

Config surface

• CLLAMA_POLICY_URL (unset = disabled), CLLAMA_POLICY_TOKEN, CLLAMA_POLICY_TIMEOUT_MS, CLLAMA_POLICY_FAIL_MODE (per-hook defaults from ADR-025).

Telemetry

Policy verdicts emit intervention values (policy_denied, policy_amended, policy_decorated) so claw audit shows policy activity per agent with zero new columns.

Verification

• TDD throughout; unit tests per hook with a stub evaluator.
• Passthrough conformance test: nil evaluator produces byte-identical responses and identical telemetry to current master.
• Spike test: pod with a stub policy HTTP service that denies one canned request and decorates another, asserted via claw audit.