test(e2e): migrate security policy and credential coverage

[jyaunches]

Parent epic: #3588

Goal

Migrate the security-policy-credentials E2E coverage area into the layered scenario framework without porting legacy scripts line-for-line. Add the missing primitive layer first, then move assertions into scenario plans/suites with stable IDs.

Legacy / current coverage to absorb

• test-network-policy.sh
• test-shields-config.sh
• test-credential-migration.sh
• test-credential-sanitization.sh
• test-telegram-injection.sh
• test-gateway-drift-preflight.sh
• test-gateway-health-honest.sh
• test-openshell-version-pin.sh

Architecture contract

• Add or extend the domain primitive library: test/e2e/validation_suites/lib/security_policy_credentials.sh.
• Helpers must consume $E2E_CONTEXT_DIR/context.env; suites must not reinstall, onboard, or rediscover setup state.
• Add/extend suite family entries in test/e2e/validation_suites/suites.yaml.
• Add onboarding profiles/test plans/onboarding assertions only when the behavior belongs before expected-state validation.
• Emit stable assertion IDs using <layer>.<domain>.<behavior>.
• Update test/e2e/docs/parity-map.yaml metadata with layer, gap_domain, owner, and runner/secret requirements where applicable.
• Preserve compatibility with existing run-scenario.sh <id> --plan-only behavior.

Acceptance criteria

• Domain primitive helpers exist and are used by migrated suite steps.
• At least the highest-value assertions from the listed legacy coverage are mapped to stable scenario assertion IDs.
• Remaining legacy assertions are explicitly classified as deferred or retired with layer/domain metadata.
• Scenario framework tests pass for resolver/schema/suite/parity-map validation.
• The coverage report makes this domain visible as covered, deferred, or retired.