refactor: split large monolithic files identified by semantic clustering analysis (#4813)

Two files flagged by automated semantic function clustering (`wasm.go`
at 1,225 lines, `guard_policy.go` at 797 lines) each mixed 4 distinct
concerns. Split both along their natural seams.

## `internal/guard/wasm.go` → 3 files

| File | Responsibility |
|---|---|
| `wasm.go` | Struct, lifecycle, host functions, public dispatch
(LabelAgent/LabelResource/LabelResponse/Close) |
| `wasm_payload.go` | Policy payload building and validation before WASM
call |
| `wasm_parse.go` | Response parsing, WASM memory management
(alloc/dealloc/call helpers) |

The split mirrors the existing test file naming (`wasm_test.go`,
`wasm_parse_test.go`, `wasm_response_parse_test.go`) — the logical
separation was already in authors' heads.

## `internal/config/guard_policy.go` → 3 files

| File | Responsibility |
|---|---|
| `guard_policy.go` | Struct definitions, JSON marshal/unmarshal,
`IsWriteSinkPolicy` |
| `guard_policy_validation.go` | `Validate*`, `Normalize*`, and
character/token helpers |
| `guard_policy_parse.go` | `Parse*`, `Build*`, `NormalizeScopeKind` |

## Not addressed: `getTracer()` duplication

The identical one-liner on `UnifiedServer` and `proxyHandler` was left
as-is — extracting a shared `tracerHolder` would require a new
cross-package dependency for two trivial methods, not worth the
structural cost.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build3049887614/b509/launcher.test
/tmp/go-build3049887614/b509/launcher.test
-test.testlogfile=/tmp/go-build3049887614/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 2/compile.go
2/equals.go x_amd64/compile` (dns block)
> - Triggering command: `/tmp/go-build3765283910/b509/launcher.test
/tmp/go-build3765283910/b509/launcher.test
-test.testlogfile=/tmp/go-build3765283910/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
ache/go/1.25.9/x64/src/os/user 64/src/net/http/httputil/dump.go .cfg
--global user.name x_amd64/cgo
ache/go/1.25.9/x64/pkg/tool/linux_amd64/compile -o 9887614/b468/_pkg_.a
-trimpath .cfg -p g/grpc/internal/--version -lang=go1.24
ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build27267908/b513/launcher.test
/tmp/go-build27267908/b513/launcher.test
-test.testlogfile=/tmp/go-build27267908/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s estl�� --version x_amd64/asm
ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet rnal/errors/errobash .cfg
64/pkg/tool/linu--noprofile ache/go/1.25.9/x64/pkg/tool/linu-buildtags`
(dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build3049887614/b491/config.test
/tmp/go-build3049887614/b491/config.test
-test.testlogfile=/tmp/go-build3049887614/b491/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true ktype/networktype.go
6UTz/5ecS_4XL9_qgoogle.golang.org/grpc/credentials x_amd64/asm` (dns
block)
> - Triggering command: `/tmp/go-build3765283910/b491/config.test
/tmp/go-build3765283910/b491/config.test
-test.testlogfile=/tmp/go-build3765283910/b491/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true ACCEPT
/tmp/go-build3049887614/b100/vet.cfg 64/pkg/tool/linux_amd64/vet
9887614/b346/ --global ctor 64/pkg/tool/linux_amd64/vet -I
t/example_test.go t/gateway_integration_test.go
64/pkg/tool/linux_amd64/compile --gdwarf-5 --64 -o
64/pkg/tool/linusecurity` (dns block)
> - Triggering command: `/tmp/go-build27267908/b495/config.test
/tmp/go-build27267908/b495/config.test
-test.testlogfile=/tmp/go-build27267908/b495/testlog.txt
-test.paniconexit0 -test.timeout=10m0s .cfg�� 9887614/b552/_pkg_.a
-tests x_amd64/vet
64/src/runtime/c/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/vet`
(dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build3049887614/b509/launcher.test
/tmp/go-build3049887614/b509/launcher.test
-test.testlogfile=/tmp/go-build3049887614/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 2/compile.go
2/equals.go x_amd64/compile` (dns block)
> - Triggering command: `/tmp/go-build3765283910/b509/launcher.test
/tmp/go-build3765283910/b509/launcher.test
-test.testlogfile=/tmp/go-build3765283910/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
ache/go/1.25.9/x64/src/os/user 64/src/net/http/httputil/dump.go .cfg
--global user.name x_amd64/cgo
ache/go/1.25.9/x64/pkg/tool/linux_amd64/compile -o 9887614/b468/_pkg_.a
-trimpath .cfg -p g/grpc/internal/--version -lang=go1.24
ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build27267908/b513/launcher.test
/tmp/go-build27267908/b513/launcher.test
-test.testlogfile=/tmp/go-build27267908/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s estl�� --version x_amd64/asm
ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet rnal/errors/errobash .cfg
64/pkg/tool/linu--noprofile ache/go/1.25.9/x64/pkg/tool/linu-buildtags`
(dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build3049887614/b509/launcher.test
/tmp/go-build3049887614/b509/launcher.test
-test.testlogfile=/tmp/go-build3049887614/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 2/compile.go
2/equals.go x_amd64/compile` (dns block)
> - Triggering command: `/tmp/go-build3765283910/b509/launcher.test
/tmp/go-build3765283910/b509/launcher.test
-test.testlogfile=/tmp/go-build3765283910/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
ache/go/1.25.9/x64/src/os/user 64/src/net/http/httputil/dump.go .cfg
--global user.name x_amd64/cgo
ache/go/1.25.9/x64/pkg/tool/linux_amd64/compile -o 9887614/b468/_pkg_.a
-trimpath .cfg -p g/grpc/internal/--version -lang=go1.24
ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build27267908/b513/launcher.test
/tmp/go-build27267908/b513/launcher.test
-test.testlogfile=/tmp/go-build27267908/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s estl�� --version x_amd64/asm
ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet rnal/errors/errobash .cfg
64/pkg/tool/linu--noprofile ache/go/1.25.9/x64/pkg/tool/linu-buildtags`
(dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build3049887614/b518/mcp.test
/tmp/go-build3049887614/b518/mcp.test
-test.testlogfile=/tmp/go-build3049887614/b518/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
rnal/encoding/ta-errorsas .cfg x_amd64/compile -p path/filepath
-lang=go1.25 x_amd64/compile` (dns block)
> - Triggering command: `/tmp/go-build3765283910/b518/mcp.test
/tmp/go-build3765283910/b518/mcp.test
-test.testlogfile=/tmp/go-build3765283910/b518/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
olang.org/grpc@v1.80.0/health/gr-c=4
olang.org/grpc@v1.80.0/health/gr-nolocalimports x_amd64/compile -p
g/protobuf/runti/usr/bin/runc -lang=go1.25 x_amd64/compile -W
3sHF/gPXvu-EnuLHrnQI63sHF
pkg/mod/go.opentelemetry.io/otel@v1.43.0/internal/global/instrum-ifaceassert
x_amd64/vet . --gdwarf2 --64 x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build27267908/b522/mcp.test
/tmp/go-build27267908/b522/mcp.test
-test.testlogfile=/tmp/go-build27267908/b522/testlog.txt
-test.paniconexit0 -test.timeout=10m0s` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

Author: lpcox