internal/divert: WinDivert handle wrapper

Thin Go layer over imgk/divert-go. Exposes Open/Close/Recv/Send and
maps the most relevant Windows errors to sentinels (ErrAccessDenied,
ErrDriverFailedPriorUnload, ErrInvalidHandle, ErrShutdown) so the
engine's recovery classifier can reason about them without importing
golang.org/x/sys/windows.

Verified imgk/divert-go@v0.1.0 API matches plan; only deviation is
Recv/Send returning uint (cast to int at our boundary).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/divert/divert_test.go

@@ -0,0 +1,46 @@
+package divert
+
+import (
+	"os"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestOpen_FalseFilterRoundtrip is a Windows + admin smoke test.
+// Skips when not on Windows or not admin.
+func TestOpen_FalseFilterRoundtrip(t *testing.T) {
+	if runtime.GOOS != "windows" {
+		t.Skip("Windows-only")
+	}
+	if !isAdminTest() {
+		t.Skip("requires admin; run from elevated shell")
+	}
+	// Install the driver first so the .sys is present
+	_, err := InstallDriver()
+	require.NoError(t, err)
+
+	h, err := Open("false") // matches no packets
+	require.NoError(t, err)
+	defer h.Close()
+}
+
+// isAdminTest is a thin wrapper to keep the test file Windows-pure
+// without re-implementing IsAdmin from cmd/drover (we'd circular-import).
+func isAdminTest() bool {
+	// Read TokenElevation directly via os/syscall to avoid the import cycle.
+	// For simplicity we just check whether we can write to System32.
+	// (Smoke-only; production code uses cmd/drover's IsAdmin.)
+	_, err := os.Stat(`C:\Windows\System32\drivers`)
+	if err != nil {
+		return false
+	}
+	f, err := os.OpenFile(`C:\Windows\System32\drivers\.drover-admin-test`, os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return false
+	}
+	f.Close()
+	os.Remove(`C:\Windows\System32\drivers\.drover-admin-test`)
+	return true
+}