feat(public): unified policy page with sub-tabs (scanning + data + identity)

Extracted #scanning-policy, #scanner-identity, #data-policy from
public-site.html into a single templates/public/policy.html with
path-driven sub-tab activation. Routes /scanning-policy, /scanner-identity,
/data-policy now serve this page; the active sub-tab is determined by the
request path (JS reads window.location.pathname; falls back to direct
linking if JS disabled).

Test: public_policy_routes_serve_policy_content
(GETs each path, asserts 200 + all three section ids present).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: skullcmd

src/bin/anyscan-api.rs

@@ -417,12 +417,12 @@ async fn main() -> Result<()> {
         .route("/", get(public_index))
         .route("/app", get(operator_app))
         .route("/app/overview", get(operator_pages::operator_overview))
-        .route("/scanning-policy", get(public_page))
-        .route("/scanner-identity", get(public_page))
+        .route("/scanning-policy", get(public_policy))
+        .route("/scanner-identity", get(public_policy))
         .route("/opt-out", get(public_page))
         .route("/claim", get(public_page))
         .route("/abuse", get(public_page))
-        .route("/data-policy", get(public_page))
+        .route("/data-policy", get(public_policy))
         .route("/.well-known/security.txt", get(security_txt))
         .route("/api/public/profile", get(public_profile))
         .route("/api/public/findings", get(list_public_findings))
@@ -604,6 +604,10 @@ async fn public_page() -> Html<&'static str> {
     Html(include_str!("../../public-site.html"))
 }
 
+async fn public_policy() -> Html<&'static str> {
+    Html(include_str!("../../templates/public/policy.html"))
+}
+
 async fn enforce_worker_only_host_routes(
     State(state): State<Arc<AppState>>,
     request: Request,
@@ -4483,4 +4487,50 @@ mod tests {
         assert!(resolved.request_opt_in_enabled);
         assert!(resolved.is_enabled());
     }
+
+    #[tokio::test]
+    async fn public_policy_routes_serve_policy_content() {
+        let app = Router::new()
+            .route("/scanning-policy", get(public_policy))
+            .route("/scanner-identity", get(public_policy))
+            .route("/data-policy", get(public_policy));
+
+        let listener = TcpListener::bind("127.0.0.1:0")
+            .await
+            .expect("bind ephemeral port");
+        let addr = listener.local_addr().expect("local addr");
+        let server = tokio::spawn(async move {
+            axum::serve(listener, app).await.expect("serve policy app");
+        });
+
+        let client = reqwest::Client::new();
+        for path in ["/scanning-policy", "/scanner-identity", "/data-policy"] {
+            let url = format!("http://{}{}", addr, path);
+            let response = client.get(&url).send().await.expect("send request");
+            assert_eq!(
+                response.status(),
+                reqwest::StatusCode::OK,
+                "{} should return 200",
+                path
+            );
+            let body = response.text().await.expect("read body");
+            assert!(
+                body.contains(r#"id="scanning-policy""#),
+                "{} body missing scanning-policy section",
+                path
+            );
+            assert!(
+                body.contains(r#"id="scanner-identity""#),
+                "{} body missing scanner-identity section",
+                path
+            );
+            assert!(
+                body.contains(r#"id="data-policy""#),
+                "{} body missing data-policy section",
+                path
+            );
+        }
+
+        server.abort();
+    }
 }