feat(providers): add profile-backed policy composition

[johntmyers]

Summary

Add the first provider profile foundation: bundled YAML provider profiles, profile proto surfaces, CLI discovery for provider types, and JIT policy composition behind the opt-in use_providers_v2 gateway setting.

Related Issue

Closes #947

UX Changes

• Adds openshell provider list-types to browse built-in provider profiles exposed by the gateway.
• Provider profile categories are now a proto enum: other, inference, agent, source_control, messaging, data, and knowledge.
• Default behavior is unchanged: with use_providers_v2=false or unset, providers keep the existing credential discovery/injection behavior and profile-backed policy composition is not used.
• When use_providers_v2=true is enabled at the gateway, sandbox policy reads compose the sandbox-authored policy with provider profile policy layers JIT. Built-in profile YAML defines the provider policy defaults, and duplicate/overlapping user policy entries are preserved through layered composition instead of replacing the user's sandbox policy.
• Gateway-global policy remains a full override in both modes. It acts as the emergency switch: operators can rapidly replace effective sandbox policy fleet-wide without provider profile layers adding extra egress.
• Credential injection is unchanged in both modes for this PR. Provider credentials still resolve through the existing legacy path until a future iteration starts materializing credentials from provider profiles.

Changes

• Add provider profile protos, category enum, and bundled per-provider YAML profiles.
• Add profile registry support and CLI provider list-types discovery.
• Add opt-in use_providers_v2 gateway setting for profile-backed policy composition.
• Compose provider profile policy layers JIT when the gateway setting is enabled and the effective policy source is sandbox-scoped.
• Preserve global policy as a full emergency override that suppresses provider profile layers.
• Keep generic as a legacy provider type without a bundled v2 profile or automatic policy contribution.
• Add policy composition tests and provider profile parsing/catalog coverage.
• Update architecture and provider docs for the new profile model.

Testing

• RUSTC_WRAPPER= cargo check -p openshell-core -p openshell-providers -p openshell-cli -p openshell-server
• RUSTC_WRAPPER= cargo test -p openshell-providers
• RUSTC_WRAPPER= cargo test -p openshell-cli cli_provider_types_match_registry
• RUSTC_WRAPPER= cargo test -p openshell-server sandbox_config_
• RUSTC_WRAPPER= cargo test -p openshell-server provider_environment_resolution_is_unchanged_by_providers_v2_setting
• RUSTC_WRAPPER= cargo test -p openshell-server provider_profile
• RUSTC_WRAPPER= cargo test -p openshell-cli provider_list_types_cli_uses_profile_browsing_rpc
• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1037.docs.buildwithfern.com/openshell

[github-actions]

Label test:e2e applied, but pull-request/1037 is at {"messa while the PR head is 68e6947. A maintainer needs to comment /ok to test 68e6947fd55b872dd43a621bc7c64059901a0cbb to refresh the mirror. Once the mirror catches up, re-run Branch E2E Checks from the Actions tab.

[johntmyers]

/ok to test 68e6947