docs(ocsf): document why protocol_name and rule_type remain String

Add inline comments explaining the intentional decision to keep these
fields as String rather than typed enums: protocol_name is free-form
per the OCSF spec, and rule_type is a project-specific extension with
runtime-dynamic values from the policy engine.

Author: johntmyers

crates/openshell-ocsf/src/objects/connection.rs

@@ -9,6 +9,9 @@ use serde::{Deserialize, Serialize};
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
 pub struct ConnectionInfo {
     /// Protocol name (e.g., "tcp", "udp").
+    ///
+    /// Kept as `String` because the OCSF spec defines this as free-form
+    /// `string_t`, and sandbox integration passes runtime-dynamic values.
     pub protocol_name: String,
 }
 

crates/openshell-ocsf/src/objects/firewall_rule.rs

@@ -12,6 +12,9 @@ pub struct FirewallRule {
     pub name: String,
 
     /// Rule type / engine (e.g., "mechanistic", "opa", "iptables").
+    ///
+    /// Kept as `String` because this is a project-specific extension field
+    /// (not OCSF-enumerated) with runtime-dynamic values from the policy engine.
     #[serde(rename = "type")]
     pub rule_type: String,
 }