Add L7 policies for user-agent blocking and required headers

Per-route HTTP-level blocking policies for L7 routes. Two rule types:
block_user_agent (substring match against User-Agent, returns 403)
and require_header (named header must be present, returns 403).

Config: L7Policy struct with type/value fields, added as L7Policies
slice on Route. Validated in config (type enum, non-empty value,
warning if set on L4 routes).

DB: Migration 4 creates l7_policies table with route_id FK (cascade
delete), type CHECK constraint, UNIQUE(route_id, type, value). New
l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy,
GetRouteID. Seed updated to persist policies from config.

L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates
rules in order, returns 403 on first match, no-op if empty. Composed
into the handler chain between context injection and reverse proxy.

Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy
mutation methods on ListenerState. handleL7 threads policies into
l7.RouteConfig. Startup loads policies per L7 route from DB.

Proto: L7Policy message, repeated l7_policies on Route. Three new
RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the
write-through pattern.

Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy
methods. CLI: mcproxyctl policies list/add/remove subcommands.

Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match,
header present/absent, multiple rules). 4 DB tests (CRUD, cascade,
duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation).
2 end-to-end L7 tests (UA block, required header with allow/deny).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/l7/policy_test.go

@@ -0,0 +1,158 @@
+package l7
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestPolicyMiddlewareNoPolicies(t *testing.T) {
+	called := false
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		w.WriteHeader(200)
+	})
+
+	handler := PolicyMiddleware(nil, next)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Fatal("next handler was not called")
+	}
+	if w.Code != 200 {
+		t.Fatalf("status = %d, want 200", w.Code)
+	}
+}
+
+func TestPolicyBlockUserAgentMatch(t *testing.T) {
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(200)
+	})
+
+	policies := []PolicyRule{
+		{Type: "block_user_agent", Value: "BadBot"},
+	}
+	handler := PolicyMiddleware(policies, next)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("User-Agent", "Mozilla/5.0 BadBot/1.0")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != 403 {
+		t.Fatalf("status = %d, want 403", w.Code)
+	}
+}
+
+func TestPolicyBlockUserAgentNoMatch(t *testing.T) {
+	called := false
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		w.WriteHeader(200)
+	})
+
+	policies := []PolicyRule{
+		{Type: "block_user_agent", Value: "BadBot"},
+	}
+	handler := PolicyMiddleware(policies, next)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("User-Agent", "Mozilla/5.0 GoodBrowser/1.0")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Fatal("next handler was not called")
+	}
+	if w.Code != 200 {
+		t.Fatalf("status = %d, want 200", w.Code)
+	}
+}
+
+func TestPolicyRequireHeaderPresent(t *testing.T) {
+	called := false
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		w.WriteHeader(200)
+	})
+
+	policies := []PolicyRule{
+		{Type: "require_header", Value: "X-API-Key"},
+	}
+	handler := PolicyMiddleware(policies, next)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("X-API-Key", "secret")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Fatal("next handler was not called")
+	}
+	if w.Code != 200 {
+		t.Fatalf("status = %d, want 200", w.Code)
+	}
+}
+
+func TestPolicyRequireHeaderAbsent(t *testing.T) {
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(200)
+	})
+
+	policies := []PolicyRule{
+		{Type: "require_header", Value: "X-API-Key"},
+	}
+	handler := PolicyMiddleware(policies, next)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != 403 {
+		t.Fatalf("status = %d, want 403", w.Code)
+	}
+}
+
+func TestPolicyMultipleRules(t *testing.T) {
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(200)
+	})
+
+	policies := []PolicyRule{
+		{Type: "block_user_agent", Value: "BadBot"},
+		{Type: "require_header", Value: "X-Token"},
+	}
+	handler := PolicyMiddleware(policies, next)
+
+	// Blocked by UA even though header is present.
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("User-Agent", "BadBot/1.0")
+	req.Header.Set("X-Token", "abc")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+	if w.Code != 403 {
+		t.Fatalf("UA block: status = %d, want 403", w.Code)
+	}
+
+	// Good UA but missing header.
+	req2 := httptest.NewRequest("GET", "/", nil)
+	req2.Header.Set("User-Agent", "GoodBot/1.0")
+	w2 := httptest.NewRecorder()
+	handler.ServeHTTP(w2, req2)
+	if w2.Code != 403 {
+		t.Fatalf("missing header: status = %d, want 403", w2.Code)
+	}
+
+	// Good UA and header present — passes.
+	req3 := httptest.NewRequest("GET", "/", nil)
+	req3.Header.Set("User-Agent", "GoodBot/1.0")
+	req3.Header.Set("X-Token", "abc")
+	w3 := httptest.NewRecorder()
+	handler.ServeHTTP(w3, req3)
+	if w3.Code != 200 {
+		t.Fatalf("pass: status = %d, want 200", w3.Code)
+	}
+}