[log] Add debug logging to guard policy JSON unmarshaling (#3733)

## Summary

Adds 5 targeted `logGuardPolicy` debug log calls to
`internal/config/guard_policy.go` — previously unlogged but important
functions in the DIFC guard policy parsing pipeline.

## Changes

**File:** `internal/config/guard_policy.go`

Three functions now have debug logging:

### `GuardPolicy.UnmarshalJSON`
- Logs parsed key count after initial JSON decode (helps diagnose
unexpected policy structures)
- Logs resolved policy type (`allow-only` vs `write-sink`) before
returning

### `AllowOnlyPolicy.UnmarshalJSON`
- Logs field count on entry (visibility into how many fields are being
parsed)
- Logs parsed `repos` type and `minIntegrity` value on successful parse

### `normalizeAndValidateScopeArray`
- Logs scope entry count before validation loop begins

## Quality

- ✅ Exactly 1 file modified (focused PR)
- ✅ No test files modified
- ✅ Reuses existing `logGuardPolicy = logger.New("config:guard_policy")`
logger — no new declaration added
- ✅ Logger naming follows `pkg:filename` convention (already established
in the file)
- ✅ No side effects in logger arguments — only pre-computed values
(`len(raw)`, `p.MinIntegrity`, etc.)
- ✅ Messages are meaningful and helpful for troubleshooting policy parse
failures
- ✅ No duplication with existing log calls

## Context

`guard_policy.go` is 800 lines with complex DIFC guard policy
parsing/validation logic. The `UnmarshalJSON` functions are called
during gateway startup and whenever policy JSON is parsed. These are the
first places where malformed configs would fail, making entry/exit
logging particularly useful for diagnosing configuration issues.




> Generated by [Go Logger
Enhancement](https://github.com/github/gh-aw-mcpg/actions/runs/24381958087/agentic_workflow)
· ● 9M ·
[◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw-mcpg+%22gh-aw-workflow-id%3A+go-logger%22&type=pullrequests)

<!-- gh-aw-agentic-workflow: Go Logger Enhancement, engine: copilot,
model: auto, id: 24381958087, workflow_id: go-logger, run:
https://github.com/github/gh-aw-mcpg/actions/runs/24381958087 -->

<!-- gh-aw-workflow-id: go-logger -->

Author: lpcox

internal/config/guard_policy.go

@@ -69,6 +69,7 @@ func (p *GuardPolicy) UnmarshalJSON(data []byte) error {
 	if err := json.Unmarshal(data, &raw); err != nil {
 		return err
 	}
+	logGuardPolicy.Printf("UnmarshalJSON: parsing guard policy, keys=%d", len(raw))
 
 	var allowOnlyRaw json.RawMessage
 	var writeSinkRaw json.RawMessage
@@ -106,6 +107,11 @@ func (p *GuardPolicy) UnmarshalJSON(data []byte) error {
 		p.WriteSink = &writeSink
 	}
 
+	if len(allowOnlyRaw) > 0 {
+		logGuardPolicy.Print("UnmarshalJSON: guard policy type is allow-only")
+	} else {
+		logGuardPolicy.Print("UnmarshalJSON: guard policy type is write-sink")
+	}
 	return nil
 }
 
@@ -123,6 +129,7 @@ func (p *AllowOnlyPolicy) UnmarshalJSON(data []byte) error {
 	if err := json.Unmarshal(data, &raw); err != nil {
 		return err
 	}
+	logGuardPolicy.Printf("UnmarshalJSON: parsing allow-only policy, fields=%d", len(raw))
 
 	for key, value := range raw {
 		switch strings.ToLower(key) {
@@ -174,6 +181,7 @@ func (p *AllowOnlyPolicy) UnmarshalJSON(data []byte) error {
 		return fmt.Errorf("allow-only must include min-integrity")
 	}
 
+	logGuardPolicy.Printf("UnmarshalJSON: allow-only policy parsed, repos=%T, minIntegrity=%s", p.Repos, p.MinIntegrity)
 	return nil
 }
 
@@ -477,6 +485,7 @@ func normalizeAndValidateScopeArray(scopes []interface{}) ([]string, error) {
 	if len(scopes) == 0 {
 		return nil, fmt.Errorf("allow-only.repos array must contain at least one scope")
 	}
+	logGuardPolicy.Printf("normalizeAndValidateScopeArray: validating %d repo scope entries", len(scopes))
 
 	seen := make(map[string]struct{}, len(scopes))
 	normalized := make([]string, 0, len(scopes))