docs(agent): ship static sandbox policy advisor skill

[zredlined]

Description

Ship a static /etc/openshell/skills/policy_advisor.md in the sandbox image that teaches agents the deny/log -> inspect -> draft -> prove -> submit -> watch loop using policy.local.

Context

Parent: #1062
RFC artifact: https://github.com/NVIDIA/OpenShell/blob/feat/agent-driven-policy-management/rfc/0001-agent-driven-policy-management.md

This is part of the locked Agent-Driven Policy Management MVP. GitHub issues are the development source of truth; Linear is only a roadmap pointer.

The MVP uses a static named skill file instead of runtime generation. Use a named file so future images can add more OpenShell skills beside it.

Definition of Done

• Sandbox image includes /etc/openshell/skills/policy_advisor.md.
• Skill documents the policy.local endpoints and example JSON payloads.
• Skill documents how to inspect recent denials and sandbox-local activity logs.
• Skill documents the L7-first norm and when L4 fallback is acceptable.
• Skill tells agents to use PolicyMergeOperation-shaped JSON payloads rather than CLI flag strings.
• Skill documents rejection guidance and revision behavior.
• No hidden policy ceilings, approval thresholds, or secrets are exposed.
• MCP is described as out of scope for MVP, not as a required setup step.