feat: add claw approval MVP with privileged broker

Implement Postgres-backed claw approval flow and integrate gateway methods for create/list/get/approve/reject/execute/audit. Add a minimal systemd-run privileged broker with bearer auth, strict scope and exact-command validation, dangerous-shell blocking, atomic once-grant consumption, and execution audit updates.

scripts/claw-broker/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "claw-broker",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "main": "broker.mjs",
+  "scripts": {
+    "start": "node broker.mjs"
+  },
+  "dependencies": {
+    "pg": "^8.20.0"
+  }
+}