sandbox,server: surface per-path L7 escalations as fresh draft chunks

Post-approval L7 (HTTP method/path) denials were vanishing instead of
reaching a reviewer. Wire them through to a fresh, reviewable draft chunk
while keeping straggler-flush noise suppressed.

- sandbox: wire L7 relay denials into the denial aggregator. L7EvalContext
  gains a denial_tx channel; every L7 deny (request-log and forward paths)
  emits a DenialEvent carrying the observed method/path, feeding the same
  observation-driven analysis as connect-stage denials so mechanistic
  proposals can be path-aware.

- server persistence: clear dedup_key when a chunk is decided (sqlite +
  postgres) and backfill existing decided rows via migration 006. New
  observations for the same host|port|binary surface as a fresh pending
  chunk instead of folding their hit_count into a row the reviewer already
  acted on. Without the backfill, rows decided under a pre-upgrade gateway
  silently absorb new denials through the status-blind submit upsert.

- server: make the post-approval mechanistic self-reject sweep
  L7-evidence-aware. A resubmit asking for nothing beyond the union of the
  approved grants for that endpoint still self-rejects (noise suppression);
  a submission carrying method/path asks OUTSIDE the approved grants stays
  pending for review. Path coverage uses a conservative glob matcher
  (* = one segment, ** trailing only, unknown shapes fall back to exact
  equality) so ambiguity errs toward surfacing a card.

- server: gate the self-reject sweep on a live-policy probe
  (policy_covers_rule). Approved chunk records outlive the clauses they
  merged (a temporary grant expiring via RemoveBinary, or a manual
  --remove-rule); trusting the record alone would auto-reject every future
  denial for that endpoint, leaving it permanently un-reviewable.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: dkay

crates/openshell-server/migrations/postgres/006_clear_decided_dedup_keys.sql

@@ -0,0 +1,11 @@
+-- Decided draft chunks must not hold dedup keys. The submit-time upsert
+-- matches on (object_type, scope, dedup_key) regardless of row status, so a
+-- decided row that still holds its key silently absorbs new observations
+-- into a chunk the reviewer already acted on — and, because the index is
+-- unique, blocks inserting a fresh pending row for the same endpoint.
+-- Decision paths now clear the key, but rows decided before that rule
+-- existed still carry theirs: scrub them.
+UPDATE objects SET dedup_key = NULL
+WHERE object_type = 'draft_policy_chunk'
+  AND dedup_key IS NOT NULL
+  AND status != 'pending';

crates/openshell-server/migrations/sqlite/006_clear_decided_dedup_keys.sql

@@ -0,0 +1,11 @@
+-- Decided draft chunks must not hold dedup keys. The submit-time upsert
+-- matches on (object_type, scope, dedup_key) regardless of row status, so a
+-- decided row that still holds its key silently absorbs new observations
+-- into a chunk the reviewer already acted on — and, because the index is
+-- unique, blocks inserting a fresh pending row for the same endpoint.
+-- Decision paths now clear the key, but rows decided before that rule
+-- existed still carry theirs: scrub them.
+UPDATE objects SET dedup_key = NULL
+WHERE object_type = 'draft_policy_chunk'
+  AND dedup_key IS NOT NULL
+  AND status != 'pending';