chore: implement org-wide governance logic

[nicholasjameshall]

Description

---

PR Description

📝 Description

This PR introduces the GitHub Org Governance Tools (specifically the PR Validator engine), adds reusable workflows for CI/CD gating, and sets up/fixes the unit testing workflows.

During local verification, several documentation paths were corrected, a stale unit test assertion was resolved, and a bug in the label-sync test workflow step was fixed to ensure 100% test coverage and passing status checks.

---

🚀 Key Features & Additions

1. PR Validator Engine (org-tools/governance/)

Introduces a robust Python-based rule engine to validate incoming pull requests against customized governance rules using a hierarchical clearance structure:

• pr_validator.py: The entry point that fetches PR metadata (changed files, reviews, authors), queries team memberships, and evaluates reviews.
• governance_config_parser.py: Handles parsing and validation of rules configurations (e.g., detecting overlapping rules or files falling into default fallbacks).
• Hierarchical Approvals: Leverages a defined team hierarchy where approvals from higher clearance tiers satisfy requirements for lower levels.
• Venn Diagram Model: A dynamic evaluation model mapping file patterns to required team approvals.
• Proxy Reviews: Support for specific users to override/approve on behalf of any team.

2. Workflows & CI/CD Gating

• reusable-governance.yml: A reusable workflow designed to run the PR validator dynamically as a status check. It checks out the central governance scripts, evaluates approvals, and posts rich Markdown reports directly to the GitHub Job Summary page and inline workflow annotations.
• tests.yml: A workflow executing all unit tests for the governance tools and label synchronization tool on every push and pull request to main.

---

Note: will send a follow-up PR to refactor pr_validator and split logic into classes with better grouped logic

---

Category (Required)

Please select one or more categories that apply to this change.

• Core Protocol: Changes to the base communication layer, global context, or breaking refactors. (Requires Technical Council approval)
• Governance/Contributing: Updates to GOVERNANCE.md, CONTRIBUTING.md, or CODEOWNERS. (Requires Governance Council approval)
• Capability: New schemas (Discovery, Cart, etc.) or extensions. (Requires Maintainer approval)
• Documentation: Updates to README, or documentations regarding schema or capabilities. (Requires Maintainer approval)
• Infrastructure: CI/CD, Linters, or build scripts. (Requires DevOps Maintainer approval)
• Maintenance: Version bumps, lockfile updates, or minor bug fixes. (Requires DevOps Maintainer approval)
• SDK: Language-specific SDK updates and releases. (Requires DevOps Maintainer approval)
• Samples / Conformance: Maintaining samples and the conformance suite. (Requires Maintainer approval)
• UCP Schema: Changes to the ucp-schema tool (resolver, linter, validator). (Requires Maintainer approval)
• Community Health (.github): Updates to templates, workflows, or org-level configs. (Requires DevOps Maintainer approval)

Related Issues

Checklist

• I have followed the Contributing Guide (including Conventional Commits title requirements and ! for breaking changes).
• I have updated the documentation (if applicable).
• My changes pass all local linting and formatting checks.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.
• (For Core/Capability) I have included/updated the relevant JSON schemas.
• I have regenerated Python Pydantic models by running generate_models.sh under python_sdk.

Screenshots / Logs (if applicable)