fix(agent-zero): NetworkPolicy egress rule for fc-llm-bridge (ADR-088)

The chat_model flip (62db15c) pointed Agent Zero at
fc-llm-bridge.fc-llm-bridge.svc.cluster.local:8080 but the existing
agent-zero-netpol only allowed egress to specific node IPs
(10.0.56.20:11434, 10.0.57.17:11434, 10.0.57.16:5200, 10.0.56.11:6443)
plus public-internet (with RFC1918 exclusion). ClusterIP traffic to
10.43.0.0/16 was implicitly denied, so pod-exec curl to the bridge
timed out after 134s.

Adds an egress rule allowing TCP 8080 to the fc-llm-bridge namespace
(matched by kubernetes.io/metadata.name which K8s 1.22+ sets
automatically). No ingress changes needed — fc-llm-bridge has no
NetworkPolicy, so the ingress side is already open.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/agent-zero/agent-zero.yaml

@@ -531,6 +531,15 @@ spec:
             cidr: 10.0.56.11/32
       ports:
         - port: 6443
+    # FlowerCore LLM Bridge (ADR-088 chat_model routing) — ClusterIP service
+    # in the fc-llm-bridge namespace on port 8080.
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: fc-llm-bridge
+      ports:
+        - port: 8080
+          protocol: TCP
     # Allow internet (for kubectl image pull, etc)
     - to:
         - ipBlock: