Branch policy: ValidateBranchPolicy dagger fn + branch-policy.yml

[haydenk]

Parent

Part of #14

What to build

Add ValidateBranchPolicy(ctx, target, source string) (string, error) to .dagger/main.go and a .github/workflows/branch-policy.yml workflow that calls it on every PR to master/develop.

Branch prefix table (sketch — confirm in PR):

• → develop: feature/*, bugfix/*, chore/*, docs/*, infra/*, refactor/*, test/*, ci/*, chore/back-merge-*
• → master: release/*, hotfix/*

Workflow mirrors haydenk/homestead's branch-policy.yml: pinned dagger/dagger-for-github, GITHUB_TOKEN only.

Acceptance criteria

• ValidateBranchPolicy Go function with table-driven unit tests in .dagger/main_test.go
• dagger call validate-branch-policy --target=... --source=... works locally
• .github/workflows/branch-policy.yml added; uses only official-or-upstream actions
• PR with invalid prefix fails the workflow with a clear ::error annotation
• PR with valid prefix produces a ::notice annotation
• PAT-less (GITHUB_TOKEN only)

Blocked by

None — can start immediately.