Add L7 policies for user-agent blocking and required headers

Per-route HTTP-level blocking policies for L7 routes. Two rule types:
block_user_agent (substring match against User-Agent, returns 403)
and require_header (named header must be present, returns 403).

Config: L7Policy struct with type/value fields, added as L7Policies
slice on Route. Validated in config (type enum, non-empty value,
warning if set on L4 routes).

DB: Migration 4 creates l7_policies table with route_id FK (cascade
delete), type CHECK constraint, UNIQUE(route_id, type, value). New
l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy,
GetRouteID. Seed updated to persist policies from config.

L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates
rules in order, returns 403 on first match, no-op if empty. Composed
into the handler chain between context injection and reverse proxy.

Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy
mutation methods on ListenerState. handleL7 threads policies into
l7.RouteConfig. Startup loads policies per L7 route from DB.

Proto: L7Policy message, repeated l7_policies on Route. Three new
RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the
write-through pattern.

Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy
methods. CLI: mcproxyctl policies list/add/remove subcommands.

Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match,
header present/absent, multiple rules). 4 DB tests (CRUD, cascade,
duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation).
2 end-to-end L7 tests (UA block, required header with allow/deny).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

client/mcproxy/client.go

@@ -40,6 +40,12 @@ func (c *Client) Close() error {
 	return c.conn.Close()
 }
 
+// L7Policy represents an HTTP-level blocking policy.
+type L7Policy struct {
+	Type  string // "block_user_agent" or "require_header"
+	Value string
+}
+
 // Route represents a hostname to backend mapping with mode and options.
 type Route struct {
 	Hostname          string
@@ -49,6 +55,7 @@ type Route struct {
 	TLSKey            string
 	BackendTLS        bool
 	SendProxyProtocol bool
+	L7Policies        []L7Policy
 }
 
 // ListRoutes returns all routes for the given listener address.
@@ -211,6 +218,42 @@ func (c *Client) SetListenerMaxConnections(ctx context.Context, listenerAddr str
 	return err
 }
 
+// ListL7Policies returns L7 policies for a route.
+func (c *Client) ListL7Policies(ctx context.Context, listenerAddr, hostname string) ([]L7Policy, error) {
+	resp, err := c.admin.ListL7Policies(ctx, &pb.ListL7PoliciesRequest{
+		ListenerAddr: listenerAddr,
+		Hostname:     hostname,
+	})
+	if err != nil {
+		return nil, err
+	}
+	policies := make([]L7Policy, len(resp.Policies))
+	for i, p := range resp.Policies {
+		policies[i] = L7Policy{Type: p.Type, Value: p.Value}
+	}
+	return policies, nil
+}
+
+// AddL7Policy adds an L7 policy to a route.
+func (c *Client) AddL7Policy(ctx context.Context, listenerAddr, hostname string, policy L7Policy) error {
+	_, err := c.admin.AddL7Policy(ctx, &pb.AddL7PolicyRequest{
+		ListenerAddr: listenerAddr,
+		Hostname:     hostname,
+		Policy:       &pb.L7Policy{Type: policy.Type, Value: policy.Value},
+	})
+	return err
+}
+
+// RemoveL7Policy removes an L7 policy from a route.
+func (c *Client) RemoveL7Policy(ctx context.Context, listenerAddr, hostname string, policy L7Policy) error {
+	_, err := c.admin.RemoveL7Policy(ctx, &pb.RemoveL7PolicyRequest{
+		ListenerAddr: listenerAddr,
+		Hostname:     hostname,
+		Policy:       &pb.L7Policy{Type: policy.Type, Value: policy.Value},
+	})
+	return err
+}
+
 // HealthStatus represents the health of the server.
 type HealthStatus int