feat(policy): add GitHub Copilot API endpoints and update binary paths

- Add copilot_api policy with all endpoints from GitHub's official
  Copilot allowlist reference (api.githubcopilot.com, subscription-tier
  APIs, model proxy, telemetry, feature flags, updates)
- Configure L7 inspection (protocol: rest, tls: terminate) on Copilot
  API endpoints for credential injection support
- Add copilot and node binary paths to github_rest_api and
  github_ssh_over_https policies
- Remove incomplete copilot policy (lacked L7 config and was missing
  individual/business tier endpoints)

Tested end-to-end in a live OpenShell sandbox with proxy-based
credential injection. All auth formats verified working (Bearer, token,
Basic, query param).

Author: OpenClaw Agent

sandboxes/base/policy.yaml

@@ -71,6 +71,10 @@ network_policies:
           #    path: "/**/git-receive-pack"
     binaries:
       - { path: /usr/bin/git }
+      - { path: /usr/bin/node }
+      - { path: /usr/bin/copilot }
+      - { path: "/usr/lib/node_modules/**" }
+      - { path: "/usr/lib/git-core/**" }
 
   nvidia_inference:
     name: nvidia-inference
@@ -94,6 +98,31 @@ network_policies:
     binaries:
       - { path: /usr/local/bin/claude }
       - { path: /usr/bin/gh }
+      - { path: /usr/bin/node }
+      - { path: /usr/bin/copilot }
+      - { path: "/usr/lib/node_modules/**" }
+
+  # --- GitHub Copilot API ---
+  # Endpoints from https://docs.github.com/en/copilot/reference/copilot-allowlist-reference
+  copilot_api:
+    name: copilot-api
+    endpoints:
+      # Copilot API (subscription-tier routing)
+      - { host: api.githubcopilot.com, port: 443, protocol: rest, tls: terminate, enforcement: enforce, access: read-write }
+      - { host: api.individual.githubcopilot.com, port: 443, protocol: rest, tls: terminate, enforcement: enforce, access: read-write }
+      - { host: api.business.githubcopilot.com, port: 443, protocol: rest, tls: terminate, enforcement: enforce, access: read-write }
+      - { host: api.enterprise.githubcopilot.com, port: 443, protocol: rest, tls: terminate, enforcement: enforce, access: read-write }
+      # Model proxy
+      - { host: copilot-proxy.githubusercontent.com, port: 443, protocol: rest, tls: terminate, enforcement: enforce, access: read-write }
+      # Telemetry, feature flags, updates
+      - { host: origin-tracker.githubusercontent.com, port: 443 }
+      - { host: telemetry.enterprise.githubcopilot.com, port: 443 }
+      - { host: default.exp-tas.com, port: 443 }
+      - { host: release-assets.githubusercontent.com, port: 443 }
+    binaries:
+      - { path: /usr/bin/node }
+      - { path: /usr/bin/copilot }
+      - { path: "/usr/lib/node_modules/**" }
 
   pypi:
     name: pypi
@@ -160,19 +189,6 @@ network_policies:
     - path: /usr/bin/node
     - path: /usr/local/bin/opencode
 
-  copilot:
-    name: copilot
-    endpoints:
-    - { host: github.com, port: 443 }
-    - { host: api.github.com, port: 443 }
-    - { host: api.githubcopilot.com, port: 443 }
-    - { host: api.enterprise.githubcopilot.com, port: 443 }
-    - { host: release-assets.githubusercontent.com, port: 443 }
-    - { host: copilot-proxy.githubusercontent.com, port: 443 }
-    - { host: default.exp-tas.com, port: 443 }
-    binaries:
-    - { path: /usr/lib/node_modules/@github/copilot/node_modules/@github/**/copilot }
-
   codex:
     name: codex
     endpoints: