feat: Implement Policy Engine Evaluation Service and Cache with unit tests

Temp commit to debug

docs/api/policy.md

@@ -326,7 +326,80 @@ Produces sealed bundle for determinism verification; returns location of bundle.
 
 ---
 
-## 7 · Effective Findings APIs
+## 7 · Batch Evaluation API
+
+Deterministic evaluator for downstream services (Findings Ledger, replay tooling, offline exporters). Consumers submit ledger event payloads and receive policy verdicts with rationale lists; no state is persisted in Policy Engine.
+
+```
+POST /api/policy/eval/batch
+Scopes: policy:simulate (service identities only)
+Headers: X-Stella-Tenant, Idempotency-Key (optional)
+```
+
+**Request**
+
+```jsonc
+{
+  "tenantId": "acme",
+  "policyVersion": "sha256:1fb2…",
+  "items": [
+    {
+      "findingId": "acme::artifact-1::CVE-2024-12345",
+      "eventId": "5d1fcc61-6903-42ef-9285-7f4d3d8f7f69",
+      "event": { ... canonical ledger payload ... },
+      "currentProjection": {
+        "status": "triaged",
+        "severity": 3.4,
+        "labels": { "exposure": "runtime" },
+        "explainRef": "policy://explain/123",
+        "rationale": ["policy://explain/123"]
+      }
+    }
+  ]
+}
+```
+
+| Field | Description |
+|-------|-------------|
+| `tenantId` | Must match the `X-Stella-Tenant` header. |
+| `policyVersion` | Deterministic policy digest (for example `sha256:<hex>`). Required for caching. |
+| `event` | Canonical ledger event payload (`ledger_events.event_body`). |
+| `currentProjection` | Optional snapshot of the existing finding projection. Null values are ignored. |
+
+**Response 200**
+
+```jsonc
+{
+  "items": [
+    {
+      "findingId": "acme::artifact-1::CVE-2024-12345",
+      "status": "affected",
+      "severity": 7.5,
+      "labels": { "exposure": "runtime" },
+      "explainRef": "policy://explain/123",
+      "rationale": [
+        "policy://explain/123",
+        "policy://remediation/321"
+      ]
+    }
+  ],
+  "cost": {
+    "units": 1,
+    "budgetRemaining": 999
+  }
+}
+```
+
+Notes:
+
+- Items that cannot be evaluated return `status: null` with an `error` object. Callers should fall back to inline evaluation.
+- Policy Engine enforces per-tenant cost budgets; batches that exceed the remaining allowance receive `429 Too Many Requests`.
+- Responses are deterministic; clients may cache results by `(tenantId, policyVersion, eventHash, projectionHash)` to support replay/offline parity.
+- Standard `ERR_POL_*` payloads surface errors; `ERR_POL_006` indicates the evaluator aborted the batch.
+
+---
+
+## 8 · Effective Findings APIs
 
 ### 7.1 List Findings
 
@@ -378,7 +451,7 @@ Returns rule hit sequence:
 
 ---
 
-## 8 · Events & Webhooks
+## 9 · Events & Webhooks
 
 - `policy.run.completed` – emitted with `runId`, `policyId`, `mode`, `stats`, `determinismHash`.
 - `policy.run.failed` – includes error code, retry count, guidance.
@@ -387,7 +460,7 @@ Returns rule hit sequence:
 
 ---
 
-## 9 · Compliance Checklist
+## 10 · Compliance Checklist
 
 - [ ] **Scopes enforced:** Endpoint access requires correct Authority scope mapping (see `/src/Authority/StellaOps.Authority/TASKS.md`).
 - [ ] **Schemas current:** JSON examples align with Scheduler Models (`SCHED-MODELS-20-001`) and Policy Engine DTOs; update when contracts change.