fix: Round 6 slop audit — string type guards + HTTP port validation

[b-macker]

Summary

• Add is_string() type guards to all 261 previously unguarded .get<std::string>() calls across 14 source files, completing the type guard coverage started in PR fix: drift tests, type guards, and R4/R5 audit fixes #28 (which covered bool/int/double/size_t but missed strings)
• Fix silent catch(...){} on std::stoi in HTTP URL port parsing — invalid ports now throw with clear error messages instead of silently defaulting to port 0
• Python import blocking (F-3) deferred — static scanning in checkCodeInjection() provides partial coverage

Round 6 audit stats

• 3 confirmed findings (1 HIGH, 2 MEDIUM), 7 false positives eliminated
• Trend: R4: 12 → R5: 6 → R6: 3 findings

Files changed (13)

File	Change
governance_config.cpp	192 string guards added
governance_engine.cpp	16 string guards added
agent_provider.cpp	10 string guards + error field guards
scanner.cpp	10 string guards
block_registry.cpp	7 string guards
package_manager.cpp	6 string guards
block_search_index.cpp	4 string guards
lockfile.cpp	4 string guards
trust_store.cpp	3 string guards
governance_reports.cpp	3 string guards
project_context.cpp	2 string guards
agent_review.cpp	HMAC field guard fix
http_impl.cpp	Port validation + range check

Test plan

• Build: 0 errors
• Error message leak test: 738/738 passed
• Config fuzz test: 100/100 passed (0 crashes)
• Full test suite: 396/396, 0 unexpected failures

🤖 Generated with Claude Code

[github-actions]

NAAb Governance Report

Metric	Count
Files checked	16
Passed	16
Failed	0

All governance checks passed!

_{Generated by NAAb Governance Engine v4.0}