Move TrafficBoundaryAuditTest to per-PR CI

[roryford]

Background

TrafficBoundaryAuditTest is a source-grep test — it walks the filesystem and checks boundary rules (network I/O allowlists, import graph, hostname literals, Package.swift target boundaries). It does not require a build or any trait.

It is currently gated behind RUN_SLOW_TESTS=1 and only runs nightly. This caused a 6-day detection lag (Jun 1–6) when two separate violations slipped through:

• WebSearchToolSource (feat(ui): WebSearchToolSource — provider-agnostic live web search #1546) violated rules 1, 6 (imports), and 6 (manifest) — hidden from regular CI by a #if CloudSaaS gate, but the source-grep audit would have caught it on the PR
• APIProvider.swift moved by [arch-migration P1c] Move device-capability + GGUF readers adapter-side #1610 without updating hostnameAllowlist — would have been caught immediately

Proposal

Remove the RUN_SLOW_TESTS=1 guard from TrafficBoundaryAuditTest so it runs unconditionally in any swift test invocation. Add it to the per-PR XCTest filter batch in ci.yml (or rely on the existing ManifoldInferenceTests filter since it lives there).

The nightly header comment lists it at ~50s — cheap enough for per-PR. The nightly run can keep it too (no harm in double coverage).

Why it's safe to move

• Pure filesystem walk, no compilation required
• No trait dependency — rules fire regardless of CloudSaaS/MLX/etc.
• Fast (~50s measured)
• Catches the class of violation that #if gates can hide from compile-time CI