fix(manifests): replace broken NetworkPolicy with proper platform ingress rules

The allow-from-runner-namespaces NP (#1553) uses podSelector: {} (all pods)
but only permits ingress from runner pods, blocking OpenShift router traffic
to the frontend and all other services. This caused outages on both Stage
and UAT clusters.

Replace with allow-platform-ingress that permits:
- OpenShift router ingress (policy-group.network.openshift.io/ingress label)
- Intra-namespace pod-to-pod traffic
- Runner pod ingress from any namespace (original intent of #1553)

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: user

components/manifests/base/runner-networkpolicy.yaml

@@ -1,15 +1,20 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-from-runner-namespaces
+  name: allow-platform-ingress
 spec:
   podSelector: {}
   policyTypes:
-  - Ingress
+    - Ingress
   ingress:
-  - {}
-  - from:
-    - namespaceSelector: {}
-      podSelector:
-        matchLabels:
-          app: ambient-code-runner
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              policy-group.network.openshift.io/ingress: ""
+    - from:
+        - podSelector: {}
+    - from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              app: ambient-code-runner