feat(policy): implement coco-config.yml v1 schema with preset field

[sfc-gh-ksampath]

Summary

Upgrade .github/coco-config.yml from the current single-knob schema to a full v1 schema with a preset field backed by plugin-shipped policy presets.

Background

The current schema has one meaningful field:

```yaml
fix_mode:
max_auto: conservative
```

This is too minimal for real-world projects. There is no way to express scan scope, severity thresholds, path-based human-review gates, issue TTL, or notification targets.

Design

Two-layer model

```
Plugin (devops-coco-agents) Template repo
───────────────────────── ──────────────────────────────
default-policy.yml .github/coco-config.yml
└─ preset: strict └─ preset: strict ← pick one
└─ preset: standard (default) └─ overrides only what differs
└─ preset: permissive └─ require_human_review is additive
```

Deep merge at workflow runtime. Project values win on conflict. require_human_review rules are always additive — a project override can add gates but never remove ones inherited from the preset.

Plugin default-policy.yml — three presets

```yaml
version: "1"

presets:

strict: # zero auto-fix, full human review
scan:
include: ["**"]
exclude: []
min_severity: low
min_confidence: medium
fix:
mode: off
excluded_paths: []
policy:
require_human_review:
- when: { severity: [critical, high, medium, low] }
issue_ttl_days: 60
max_open_issues: 100
notifications:
on_critical: []

standard: # conservative auto-fix, safe defaults
scan:
include: [""]
exclude:
- "/test/"
- "/tests/"
- "/fixtures/"
- "/vendor/"
- ".lock"
min_severity: medium
min_confidence: medium
fix:
mode: conservative
auto_fix:
max_severity: low
max_complexity: low
min_confidence: high
excluded_paths:
- ".lock"
- "migrations/"
policy:
require_human_review:
- when: { severity: [critical, high] }
- when: { paths: ["/auth/", "/security/", "/crypto/"] }
issue_ttl_days: 30
max_open_issues: 20
notifications:
on_critical: []

permissive: # aggressive auto-fix, greenfield/experiment
scan:
include: [""]
exclude:
- "/test/"
- "/tests/**"
- ".lock"
min_severity: low
min_confidence: low
fix:
mode: aggressive
auto_fix:
max_severity: medium
max_complexity: medium
min_confidence: medium
excluded_paths:
- ".lock"
policy:
require_human_review:
- when: { severity: [critical] }
issue_ttl_days: 14
max_open_issues: 50
notifications:
on_critical: []
```

Project override examples

Fintech repo — strict + compliance overrides:
```yaml
version: "1"
preset: strict

scan:
include: ["src/", "api/", "infra/"]
exclude: ["/test/**"]

policy:
require_human_review:
- when: { paths: ["src/payments/", "src/kyc/"] }
issue_ttl_days: 90

notifications:
on_critical: ["@security-team", "@compliance-lead"]
```

Data pipeline repo — standard, no auth paths:
```yaml
version: "1"
preset: standard

scan:
include: ["pipelines/", "transforms/"]
exclude: ["pipelines/legacy/**"]

fix:
excluded_paths: ["pipelines/legacy/**"]

policy:
issue_ttl_days: 14
max_open_issues: 10
```

Greenfield experiment — permissive, no overrides:
```yaml
version: "1"
preset: permissive
```

Runtime merge order

1. Plugin default-policy.yml preset (base)
2. .github/coco-config.yml deep-merged on top
3. vars.COCO_MAX_AUTO overrides fix.mode only (existing behaviour preserved)

Acceptance Criteria

• default-policy.yml added to devops-coco-agents plugin with strict, standard, permissive presets
• .github/coco-config.yml updated to v1 schema (preset: standard default, full field set)
• cortex-scan.yml workflow merges plugin defaults + project overrides before cortex exec
• Existing vars.COCO_MAX_AUTO override still works (maps to fix.mode)
• README documents the three presets and override pattern
• require_human_review additive-only behaviour documented in AGENTS.md

Notes

• standard preset should match current conservative behaviour so existing repos see no behaviour change on upgrade
• Plugin-side changes go in devops-coco-agents repo; template-side changes go here