fix: ensure GPU attestation is required when GPU is enabled

Previously, when GPU attestation was enabled, the policy would still
allow access with only CPU attestation due to the first rule being
unconditionally present. This fix ensures the CPU-only rule only
applies when GPU is disabled, preventing the bypass.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: butler54

templates/resource-policy.yaml

@@ -12,11 +12,12 @@ data:
     import rego.v1
 
     default allow := false
+    {{- if not .Values.kbs.gpu.enabled }}
 
     allow if {
       input["submods"]["cpu0"]["ear.status"] == "affirming"
     }
-    {{- if .Values.kbs.gpu.enabled }}
+    {{- else }}
 
     allow if {
       input["submods"]["cpu0"]["ear.status"] == "affirming"