Polish std/net release boundary

[larimonious]

Summary

• move std/net target classification/policy into net/policy.rs and keep private probing gated only by NTNT_NET_ALLOW_PRIVATE=1 plus per-call allow_private
• make TCP reachability and port scan attempts spend one caller-visible timeout budget across resolved addresses instead of multiplying timeout by address count
• update DD-046/DD-047 to mark one-shot multi-protocol traceroute as release scope and defer MTR-style aggregation, parallel hop sweeps, and hop enrichment out of std/net

Verification

• cargo fmt && git diff --check && cargo test --lib stdlib::net -- --test-threads=1
• cargo build --profile dev-release
• cargo test --test type_checker_tests std_net -- --nocapture
• ./target/dev-release/ntnt docs --generate
• ./target/dev-release/ntnt validate examples/ (passes; existing examples/collections_demo warnings only)
• ./target/dev-release/ntnt lint examples/ (passes; existing warnings/suggestions only)
• cargo test

[greptile-apps]

Greptile Summary

This PR polishes the std/net release boundary and network probe behavior. It changes:

• Moves target classification and outbound policy into src/stdlib/net/policy.rs.
• Narrows private-target probing to NTNT_NET_ALLOW_PRIVATE plus per-call allow_private.
• Makes TCP reachability and port scanning spend one timeout budget across resolved addresses per port.
• Updates docs and design notes to separate one-shot traceroute from monitoring-style aggregation.

Confidence Score: 5/5

This looks safe to merge.

• No blocking issues found in the changed code.

_{Reviews (4): Last reviewed commit: "test: harden std/net review follow-ups" | Re-trigger Greptile}

[larimonious]

Addressed the Greptile findings in 2e14dc9.

• Fixed the reachable() false-negative regression: TCP reachability now uses one timeout budget per TCP port across that port's resolved addresses, so a filtered 80 no longer starves 443.
• Added regression coverage for the multi-port timeout path without real network dependency.
• Restored mapped IPv6 loopback enforcement coverage through enforce_resolved_target_policy.
• Documented the NTNT_ALLOW_PRIVATE_IPS / NTNT_NET_ALLOW_PRIVATE split across runtime docs, AI guide, generated stdlib docs, and DD-046; the policy error now includes the migration hint.
• Added policy tests for legacy NTNT_ALLOW_PRIVATE_IPS rejection and the positive NTNT_NET_ALLOW_PRIVATE=1 + allow_private: true path.

Verification run locally:

cargo fmt
cargo build --profile dev-release
./target/dev-release/ntnt docs --generate
cargo test --lib stdlib::net -- --nocapture
cargo test --test std_net_tests -- --nocapture
cargo test
greptile review --agent

Local Greptile result after fixes: safe to merge, confidence 4/5, no review comments. The remaining note is the explicit release tradeoff that multi-port reachable() can spend up to timeout_ms × number_of_tcp_ports, now documented.