fix: localize infraguard policy metadata

[xiao201208]

Summary

• localize InfraGuard policy metadata where non-zh locales copied Chinese text
• update the policy generator to emit ja/de/es/fr/pt metadata
• add regression guards for copied zh metadata and Chinese text in non-CJK locales

Tests

• uv run pytest tests/skills/bundled/test_iac_skill.py
• uv run ruff check tests/skills/bundled/test_iac_skill.py src/iac_code/skills/bundled/iac_aliyun/scripts/generate_infraguard_policies.py
• git diff --check

[Prodesire]

Directly putting various InfraGuard Rego policies into iac-code is inappropriate, as it increases maintenance costs and can easily lead to inconsistencies between the two sides. Recommendation:

• Add a new pac-aliyun (Policy as Code for Aliyun) skill to host PAC-related capabilities.
• In the skill, lazily fetch InfraGuard and its policies (check for updates) before implementing subsequent PAC capabilities.

[xiao201208]

@Prodesire thanks for the clear direction. Addressed in 9f046c6: added a new bundled pac-aliyun skill for InfraGuard/PAC workflows, moved the policy-generation guidance there, and made the first PAC step a lazy InfraGuard sync via infraguard version, infraguard policy update, and infraguard policy list before generation/validation/catalog lookup.

I also narrowed iac-aliyun back to ROS/Terraform IaC workflows, removed the embedded InfraGuard Rego catalog and generator from iac-code, and updated auto-trigger tests so InfraGuard/Rego/PAC prompts route to pac-aliyun only. Verified with uv run pytest tests/skills -q and uv run ruff check src/iac_code/skills tests/skills; the pushed revision is ready for CI/re-review.

[binxin-wbx]

Redundant ignore

[xiao201208]

@binxin-wbx Fixed in 64c69f5 by removing the redundant .gitignore exceptions from the branch. The PR is updated and ready for re-check.

[Prodesire]

PAC should not be triggered in the IaC skill.

[xiao201208]

@Prodesire Fixed in 64c69f5. I removed the PAC workflow classifier from iac-aliyun; pac-aliyun now declares supersedes: iac-aliyun, and the generic auto-trigger dispatcher filters the broader IaC match. Verified with targeted auto-trigger tests, including the mixed Rego + ROS prompt.