fix(ui): policy save button blocked by stray hx-post

The policy edit form had `hx-post` pointing at the preview endpoint
alongside its real `action`, so HTMX hijacked submissions and the
"Save policy" button silently invoked preview instead of saving.

Removing the attribute lets the form post normally to the update
controller, which 303s back to the edit page; the existing Alpine
preview component already calls `load()` on `x-init`, so the preview
now refreshes automatically after each save while the manual
Refresh button stays available.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ui/resources/views/pages/policies/edit.twig

@@ -24,8 +24,7 @@
         {% endif %}
     </div>
 
-    <form method="post" action="/app/policies/{{ policy.id }}" class="mt-6"
-          {% if can_write %}hx-post="/api/v1/admin/policies/{{ policy.id }}/preview"{% endif %}>
+    <form method="post" action="/app/policies/{{ policy.id }}" class="mt-6">
         <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
 
         <section class="rounded-2xl border border-slate-200 bg-white p-5 shadow-sm dark:border-slate-800 dark:bg-slate-900">

ui/src/Controllers/PoliciesController.php

@@ -20,8 +20,12 @@ use Slim\Views\Twig;
  * pairs; we resolve those into the api's `thresholds: {slug: number}`
  * shape. Empty values mean "remove from policy".
  *
- * Live preview is driven by an htmx fetch from the edit page directly
- * to `/api/v1/admin/policies/{id}/preview` via the same session token.
+ * Live preview is driven by an Alpine component on the edit page
+ * that fetches `/app/policies/{id}/preview-proxy`, which forwards
+ * to the api with the user's session impersonation. The component
+ * runs on `x-init` so the preview auto-refreshes after a save
+ * (post-save redirect reloads the page); a Refresh button stays
+ * available for ad-hoc refetches.
  *
  * RBAC: list/show/preview ⇒ Viewer; write ⇒ Admin.
  */