Implement policy decision normalizer and explanation-code registry

## Goal

Implement the SourceOS policy decision model so expected control behavior does not appear as false operator error noise.

## Scope

- Add policy decision event contract.
- Add semantic outcome mapping.
- Add explanation-code registry.
- Add default expected-denial rules.
- Cover file, IPC, network, identity, and sync operation classes.

## Required explanation codes

- `POLICY_EXPECTED_METADATA_BOUNDARY`
- `POLICY_EXPECTED_NETWORK_DISABLED`
- `POLICY_UNEXPECTED_FILE_READ`
- `POLICY_ATTACK_LIKE_PRIVILEGE_BOUNDARY_PROBE`
- `POLICY_DEGRADED_TRUST_LOCAL_ONLY`

## Acceptance criteria

- Expected sandbox denies render as `notice` + `blocked_expected`.
- Unexpected denials render as `warning` unless attack-like.
- Policy result and semantic outcome are both preserved.
- Narrative output explains why a block happened.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement policy decision normalizer and explanation-code registry #6

Goal

Scope

Required explanation codes

Acceptance criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Implement policy decision normalizer and explanation-code registry #6

Description

Goal

Scope

Required explanation codes

Acceptance criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions