fix(policy): use engine default verdict for QUIC instead of hardcoded deny

EvaluateQUICDetailed was hardcoded to return Deny as the default
verdict, ignoring the engine's configured default. When default is
"ask", QUIC traffic to unmatched destinations was silently dropped
instead of triggering approval. Now uses e.Default so QUIC respects
the same default as TCP.

Author: nnemirovsky

internal/policy/engine.go

@@ -767,5 +767,9 @@ func (e *Engine) EvaluateQUICDetailed(dest string, port int) (Verdict, MatchSour
 	if matchRulesStrictProto(e.compiled.askRules, dest, port, protoNameUDP) {
 		return Ask, RuleMatch
 	}
-	return Deny, DefaultVerdict
+	// Use the engine's configured default verdict. Unscoped rules (no
+	// protocol filter) are NOT matched for QUIC because they are
+	// TCP-scoped by convention and should not inadvertently allow or
+	// deny UDP/QUIC traffic.
+	return e.Default, DefaultVerdict
 }

internal/proxy/server.go

@@ -1556,7 +1556,6 @@ func (s *Server) handleAssociate(_ context.Context, writer io.Writer, request *s
 				log.Printf("[UDP] invalid datagram from %s: %v", srcAddr, parseErr)
 				continue
 			}
-
 			// DNS interception: port 53 traffic goes to the DNS interceptor.
 			if port == 53 && s.dnsInterceptor != nil {
 				resp, dnsErr := s.dnsInterceptor.HandleQuery(payload)