fixes for workarounds
The branches have already diverged too much, so targeting another PR: !519 (merged)
This fixes flags in some places read from global context and not from query flags, making them impossible to override in policy filters. It also allows some flags to survive CNAME hops. It also allows lame answers in PERMISSIVE mode, which fixes negative answers from F5 load balancers. Last thing is adding bindings to the checkout layer to be able to run policies before sending service queries.