feat(cloud-assembly-schema): add policy validation report schema types

[kaizencc]

Define the JSON schema types for policy-validation-report.json in the shared cloud-assembly-schema package. This file is written by aws-cdk-lib during synthesis and consumed by toolkit-lib's validate command. Having the types in the shared contract prevents drift between producer and consumer.

Corresponding types in aws-cdk-lib

These schema types mirror the structures defined in aws-cdk-lib:

• packages/aws-cdk-lib/core/lib/validation/validation.ts — IPolicyValidationPluginBeta1, PolicyViolationBeta1, PolicyViolatingResourceBeta1
• packages/aws-cdk-lib/core/lib/validation/private/report.ts — report formatting and JSON serialization

Schema sufficiency for RFC 899

We evaluated whether schema changes are needed to support CDK Comprehensive Validation (RFC 899) and its proposed output format. The existing schema is sufficient — all data required by the RFC is either already present or derivable at display time:

RFC requirement	How it's satisfied
Severity grouping (Fatal/Error/Warning)	PolicyViolationJson.severity is already present. CLI groups violations by severity at display time. Defaults to Warning if absent.
Source name (e.g. "ValidationEngine (Default)", "CdkNagValidator")	Derivable from PluginReportJson.summary.pluginName
Suppression/acknowledge ID	Derivable as ${pluginName}::${ruleName} (both fields present). Spaces replaced with dashes per aws-cdk#37808.
Suppress instruction	Computed by CLI: Acknowledge '${pluginName}::${ruleName}'. Omitted for Fatal violations.
Summary counts	Computed from violation arrays at render time
Source file location	ViolatingConstructJson.constructStack.location
Construct path	ViolatingConstructJson.constructPath

For Construct Annotations specifically, aws-cdk-lib (via #37808) converts annotations into PolicyViolation objects before writing the report — extracting the [ack: id] tag as ruleName and mapping the level to severity. By the time the CLI reads the report, it's already structured.

No additional schema fields are needed. The RFC output is purely a CLI display concern.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.09%. Comparing base (1ea1ae7) to head (bf2cb86).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1515   +/-   ##
=======================================
  Coverage   88.09%   88.09%           
=======================================
  Files          75       75           
  Lines       10721    10721           
  Branches     1465     1465           
=======================================
  Hits         9445     9445           
  Misses       1248     1248           
  Partials       28       28           

Flag	Coverage Δ
suite.unit	88.09% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.