Add PolicyGate extension point to pkg/runner

[reyortiz3]

Summary

Enterprise and downstream deployments need to enforce policy at the point where MCP server containers are created, without forking or patching the OSS runner. Without an extension point, every policy check would require modifying upstream code.

• Adds a PolicyGate interface in pkg/runner/policy_gate.go with CheckCreateServer(ctx, cfg) error
• Ships NoopPolicyGate (exported) for downstream implementations to embed for forward-compatibility as the interface grows
• Default gate (allowAllGate) returns nil for all operations — zero behavior change for OSS users
• RegisterPolicyGate(g PolicyGate) lets enterprise/downstream binaries install a real gate at startup (thread-safe via sync.Mutex)
• Gate is invoked in Runner.Run just before runtime.Setup for local workloads; a returned error blocks creation with "server creation blocked by policy: %w"

Closes stacklok/stacklok-enterprise-platform#91

Type of change

• New feature

Test plan

• Unit tests (task test)

Four unit tests in pkg/runner/policy_gate_test.go:

• Default gate allows all operations (returns nil)
• NoopPolicyGate embed returns nil
• RegisterPolicyGate replaces the active gate; an error-returning gate propagates the sentinel error
• Package default is confirmed to be allowAllGate

Each test that mutates the package-level gate saves and restores the original via t.Cleanup.

Changes

File	Change
pkg/runner/policy_gate.go	New — interface, default impl, RegisterPolicyGate, NoopPolicyGate
pkg/runner/runner.go	Call gate before runtime.Setup in the local-workload branch
pkg/runner/policy_gate_test.go	New — unit tests for gate logic

Does this introduce a user-facing change?

No. The default gate is a no-op; existing OSS behavior is unchanged.

Special notes for reviewers

The NoopPolicyGate exported struct is intentional — it gives downstream implementations a safe embed target so that adding new methods to PolicyGate in future issues doesn't break their builds.

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 83.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.89%. Comparing base (f5d8015) to head (a652d6e).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/runner/runner.go	0.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4614      +/-   ##
==========================================
+ Coverage   68.85%   68.89%   +0.04%     
==========================================
  Files         505      506       +1     
  Lines       52425    52437      +12     
==========================================
+ Hits        36096    36126      +30     
+ Misses      13536    13520      -16     
+ Partials     2793     2791       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.