Add CLI and backend policy wiring for plan apply and query

[dsa0x]

This is part of a stacked series to upstream the policy work in smaller, reviewable pieces:

• [Add policy client and protocol plumbing #38514]
• [Add policy result types and diagnostic metadata plumbing #38515]
• [Wire policy evaluation into Terraform core runtime #38516]
• [Add CLI and backend policy wiring for plan apply and query #38518] (this)
• [Add init-time policy evaluation #38519]

This PR wires the policy functionality into the normal Terraform command flows. It adds command/backend integration for plan, and apply, initializes the policy client from the CLI path, passes policy configuration/results through the backend layer, and adds the diagnostic/output support needed so policy results are actually visible during those runs.

This is the PR where the earlier core/runtime work becomes real from a user-facing command perspective. It is also where the policy-specific command tests live, since this is the point where policy becomes observable in normal command execution.

Included here

• command wiring for plan and apply
• backend wiring for local/remote/cloud execution paths
• policy client setup in command/meta flow
• command/view diagnostic rendering needed for plan/apply policy output
• policy command tests for plan/apply

Target Release

1.16.x

Rollback Plan

• If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

CHANGELOG entry

• This change is user-facing and I added a changelog entry.
• This change is not user-facing.

[github-actions]

Changelog Warning

Currently this PR would target a v1.16 release. Please add a changelog entry for in the .changes/v1.16 folder, or discuss which release you'd like to target with your reviewer. If you believe this change does not need a changelog entry, please add the 'no-changelog-needed' label.