feat: add macOS Mach IPC policy controls

[jy-tan]

Summary

Add macOS-specific Mach IPC controls so Fence users can allow the mach-lookup and mach-register services required by sandboxed tools while keeping this backend-specific policy out of the portable top-level config model.

Resolves #116.

Changes

• Add a macos.mach config namespace with lookup and register allowlists
• Support exact service names, trailing wildcards like org.chromium.*, and ["*"] for broad compatibility when needed
• Validate, merge, serialize, and publish the new config shape in the generated JSON schema
• Emit matching mach-lookup and mach-register rules in the macOS Seatbelt profile
• Surface blocked Mach denials in monitor mode so missing services are discoverable while tuning policy
• Document the new config and security tradeoffs for backend-specific Mach/XPC exceptions

[cubic-dev-ai]

1 issue found across 13 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/library.md">

<violation number="1" location="docs/library.md:205">
P2: Documenting MacOSConfig/MachConfig as part of the public fence API is misleading because pkg/fence does not re-export those types.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}