[Reborn] Add vertical tests for post-3080 obligation handoffs

[serrrfirat]

Parent / related

• Vertical integration tracker: [TEST] Reborn: Add vertical-slice integration test suite #3067
• Host-runtime composition tracker: [Reborn] Compose ironclaw_host_runtime services #3087
• Obligations PR: feat(reborn): wire built-in obligations and handoffs #3080
• Network handoff: Wire staged network-policy obligations into runtime egress #3139
• Secret handoff: Wire staged one-shot secret injections into runtime adapters #3140

Summary

Add caller-level Reborn integration tests that prove the post-#3080 obligation path works through public host-runtime seams, not only crate-local helper tests.

Current state

#3080 added unit/contract coverage for CapabilityHost and BuiltinObligationHandler. Once production/service-graph composition and runtime handoff wiring are available, we need vertical tests through the public host-runtime path.

What to test

A thin end-to-end slice should cover:

• trust decision supplied/evaluated by host composition;
• authorization returns obligations;
• DefaultHostRuntime invokes CapabilityHost with configured BuiltinObligationHandler;
• runtime adapter / shared HTTP egress consumes staged network policy and/or secret material;
• output redaction / output limit / audit behavior is applied before publication;
• unsupported or missing obligations fail before backend side effects.

Acceptance criteria

• Tests go through HostRuntime/DefaultHostRuntime or HostRuntimeServices, not private helper calls only.
• At least one network-obligated capability consumes staged network policy before HTTP transport.
• At least one secret-obligated capability consumes staged one-shot secret material and redacts it from runtime-visible output/errors.
• Unsupported EnforceResourceCeiling or missing backing services fail closed before dispatch.
• Tests assert no raw secret/output/backend details leak through public outcomes/audit/status.

Verification

Suggested targeted checks:

cargo test -p ironclaw_host_runtime
cargo test -p ironclaw_dispatcher
cargo test -p ironclaw_wasm
python3.11 scripts/check_no_panics.py --base origin/reborn-integration --head HEAD

[serrrfirat]

Closed by merged PR #3338 on reborn-integration.

Evidence added/verified:

• HostRuntimeServices now exposes the host-owned NetworkObligationPolicyStore, so production HostHttpEgressService::new(...) can be wired to the same staged handoff store as BuiltinObligationHandler.
• host_runtime_services_wasm_http_uses_production_staged_network_and_secret_handoffs drives HostRuntimeServices -> DefaultHostRuntime -> CapabilityHost -> BuiltinObligationHandler -> RuntimeDispatcher -> WASM adapter -> HostHttpEgressService.
• The test verifies staged network policy reaches outbound transport, staged secret material is injected, and completed invocation cleanup leaves neither staged network policy nor staged secret material reusable.
• Existing HostRuntimeServices coverage also covers audit metadata-only records, output limit/resource reconciliation, scoped mounts, reservation cleanup, approval resume, missing staged secret before transport, and no direct host HTTP bypass.

Merged PR: #3338