fix(sandbox): add mechanistic smoke test for L4 deny and document the L4/L7 split

[mesutoezdil]

Summary

• Added e2e/policy-advisor/mechanistic-smoke.sh to test the mechanistic mapper with an L4 CONNECT deny
• Added a Policy Proposals section to architecture/sandbox.md documenting the intentional L4-only scope

Related Issue

Fixes #1333

Changes

The denial aggregator is only wired to L4 CONNECT denies, not L7 enforcement. The old smoke path exercised an L7 PUT which hung because no mechanistic chunk is ever generated for L7 denials.

The new script creates a sandbox with no network policy, triggers an L4 deny by connecting to an unroutable host, waits for the aggregator to flush, and asserts a pending chunk appears under openshell rule get --status pending.

The architecture doc documents the L4/L7 split as an intentional design decision.

Testing

• bash -n e2e/policy-advisor/mechanistic-smoke.sh passes
• markdownlint-cli2 architecture/sandbox.md passes with 0 errors
• The smoke script itself is the e2e test and requires a running gateway

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[TaylorMutch]

I tested the new smoke locally on this branch with the Docker-backed e2e wrapper:

e2e/with-docker-gateway.sh bash -lc '
  target/debug/openshell settings set --global \
    --key agent_policy_proposals_enabled \
    --value true \
    --yes
  OPENSHELL_BIN="$PWD/target/debug/openshell" \
    bash e2e/policy-advisor/mechanistic-smoke.sh
'

It passed: the script created a sandbox, triggered the expected L4 CONNECT deny for blocked.invalid:443, and openshell rule get --status pending showed allow_blocked_invalid_443 for /usr/bin/curl.

A few items still need action before this fully resolves #1333:

1. Please wire e2e/policy-advisor/mechanistic-smoke.sh into an exercised path, or document clearly that it is manual-only. Right now I do not see it referenced from mise run e2e, tasks/test.toml, .github/workflows/e2e-test.yml, or e2e/policy-advisor/README.md, so CI will not catch regressions in this path.
2. mechanistic mapper: L4-only by design; retarget e2e smoke and document the split #1333 explicitly asks to “Verify (or add) a positive unit test that an L4 deny enqueues a DenialEvent.” I do not see that covered in this PR. Please add the unit test, or change Fixes #1333 to Refs #1333 and explain the remaining work.
3. Please initialize TMP_DIR="" before the trap cleanup EXIT. With set -u, early preflight failures can make cleanup() reference an unbound TMP_DIR and mask the real error.

The L4 retarget itself looks correct based on the local run; the main gap is making sure this becomes durable regression coverage and that all acceptance items from #1333 are addressed.