feat: policy violations filter

[migmartri]

Summary

Add the ability to filter and display workflow runs by policy violation status. This feature includes:

• API filtering: New --policy-status flag for workflow run list command accepting values: all, failed, passed
• Database normalization: Added has_policy_violations boolean column to workflow_runs table for efficient querying
• UI enhancements: Policy status column now displayed in both workflow run list and workflow run describe outputs, showing "passed", "failed", or "N/A"

go run main.go wf run ls
^[[AWRN API contacted in insecure mode
┌──────────────────────────────────────┬─────────────────────────────────┬───────────────────────────┬─────────┬───────────────┬─────────────────────┬─────────────┐
│ ID                                   │ WORKFLOW                        │ VERSION                   │ STATE   │ POLICY STATUS │ CREATED AT          │ RUNNER      │
├──────────────────────────────────────┼─────────────────────────────────┼───────────────────────────┼─────────┼───────────────┼─────────────────────┼─────────────┤
│ 19a3f38e-7708-47aa-b9e6-da2fae8652a3 │ myproject/build-container-image │ v1.57.0+next (prerelease) │ success │ failed        │ 14 Nov 25 17:49 UTC │ Unspecified │
│ 4bff0800-64f5-4606-995e-214a2f6f2b3c │ myproject/build-container-image │ v1.57.0+next (prerelease) │ success │ passed        │ 14 Nov 25 17:46 UTC │ Unspecified │
│ 54ad2f0a-3be6-4b86-a24f-e80cb7ef3446 │ myproject/build-container-image │ v1.57.0+next (prerelease) │ success │ passed        │ 14 Nov 25 17:44 UTC │ Unspecified │
│ 481aac08-d305-4c91-a4ee-88ee3f6f6d52 │ my-project-2222/sast            │ 11.11 (prerelease)        │ expired │ N/A           │ 14 Nov 25 17:44 UTC │ Unspecified │

Filtering specifically

go run main.go wf run ls --policy-status failed
WRN API contacted in insecure mode
┌──────────────────────────────────────┬─────────────────────────────────┬───────────────────────────┬─────────┬───────────────┬─────────────────────┬─────────────┐
│ ID                                   │ WORKFLOW                        │ VERSION                   │ STATE   │ POLICY STATUS │ CREATED AT          │ RUNNER      │
├──────────────────────────────────────┼─────────────────────────────────┼───────────────────────────┼─────────┼───────────────┼─────────────────────┼─────────────┤
│ 19a3f38e-7708-47aa-b9e6-da2fae8652a3 │ myproject/build-container-image │ v1.57.0+next (prerelease) │ success │ failed        │ 14 Nov 25 17:49 UTC │ Unspecified │
└──────────────────────────────────────┴─────────────────────────────────┴───────────────────────────┴─────────┴───────────────┴─────────────────────┴─────────────┘

Changes

Backend (Control Plane)

• Added has_policy_violations nullable boolean field to WorkflowRun schema
• Added PolicyViolationsFilter enum to proto API (UNSPECIFIED, WITH_VIOLATIONS, WITHOUT_VIOLATIONS)
• Updated service layer to handle new filter parameter
• Updated data layer query to filter by policy violations status
• Modified attestation storage to automatically populate has_policy_violations from policy evaluation results
• Added HasPolicyViolations field to WorkflowRunItem proto message for list responses

Frontend (CLI)

• Added --policy-status flag to workflow run list command with values: all, failed, passed
• Added "Policy Status" column to list table output
• Added "Policy Status" row to describe output
• Policy status displays as:
  • "passed" - no policy violations detected
  • "failed" - policy violations detected
  • "N/A" - no policies were evaluated

Fixes #2549