schema: plan validation rules + results tables

[adityachoudhari26]

Sub-issue of #1073.

Add the two Drizzle tables and migration for plan validation. No application code in this issue.

Tables

policyRulePlanValidationOpa in packages/db/src/schema/policy.ts — alongside the other ten policyRule* tables.

Column	Type
id	uuid PK
policyId	uuid → policy.id ON DELETE CASCADE
name	text
description	text (nullable)
rego	text
severity	text — "error" or "warning"
createdAt	timestamptz

deploymentPlanTargetResultValidation in packages/db/src/schema/deployment-plan.ts.

Column	Type
id	uuid PK
resultId	uuid → deploymentPlanTargetResult.id ON DELETE CASCADE
ruleId	uuid → policyRulePlanValidationOpa.id
passed	boolean
violations	jsonb (string[])
evaluatedAt	timestamptz

Unique index on (resultId, ruleId) for upsert semantics.

Other

• Wire relations on both sides (policyRelations, plus a new deploymentPlanTargetResultValidationRelations).
• Generate the migration in packages/db/drizzle/.

Open question

Severity may be returned from Rego output (Conftest-style detailed object: {msg, severity}) rather than stored on the rule — see jsbroks's comment on #1073. Decide before merging this schema; it changes whether severity is a column or a computed field on the result row.