guardrails: provider admission policy

Parent epic: #1

Source brief:
- `docs/ai-guardrails/issues/005-provider-admission-policy.md`

## Problem
The internal distribution needs a stable provider strategy that does not tie product decisions to one transient model name.

## Deliverables
- lane policy for `zai`, `openai`, and `openrouter`
- provider allowlist and denylist defaults
- evaluation checklist for OpenRouter-backed candidates
- confidential-repo restrictions for preview, free, or data-collecting models

## Acceptance
- provider defaults are expressed in config, not only in prose
- evaluation lane is separate from standard defaults
- policy references official routing and data controls, not assumptions

## Notes
- Follow the thin-distribution approach from `docs/ai-guardrails/adr/001-thin-distribution-over-deep-fork.md`
- Preserve the philosophy imported from `claude-code-skills` epic #130: mechanism-first guardrails, fast feedback, pointer-based instructions, and runtime verifiability
- Prefer OpenCode-native config/profile/plugin/command/CI surfaces over core patches

## Dependencies
- #1
- `docs/ai-guardrails/adr/002-provider-admission-lanes.md`


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

guardrails: provider admission policy #6

Problem

Deliverables

Acceptance

Notes

Dependencies

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

guardrails: provider admission policy #6

Description

Problem

Deliverables

Acceptance

Notes

Dependencies

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions