Wire policy evaluation into Terraform core runtime

[dsa0x]

This is part of a stacked series to upstream the policy work in smaller, reviewable pieces:

• [Add policy client and protocol plumbing #38514]
• [Add policy result types and diagnostic metadata plumbing #38515]
• [Wire policy evaluation into Terraform core runtime #38516] (this)
• [Add CLI and backend policy wiring for plan apply and query #38518]
• [Add init-time policy evaluation #38519]

This PR wires policy evaluation into Terraform core itself. It adds the runtime behavior for evaluating policy during graph execution, passes the relevant metadata and values into the policy engine, and records the resulting policy outcomes back onto the run so later layers can surface them.

This is the core of the stack. The main thing happening here is not CLI behavior yet, but rather defining where policy runs in the Terraform runtime, what objects get evaluated, and how those results are tracked.

Included here

• policy evaluation during core graph/runtime execution
• provider/resource runtime wiring
• core tests covering policy behavior
• supporting core/test plumbing needed to make that work

Target Release

1.16.x

Rollback Plan

• If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

CHANGELOG entry

• This change is user-facing and I added a changelog entry.
• This change is not user-facing.