docs(#1748): add exclusion info to per-rule documentation

[fullsend-ai-coder]

Update the package.template to include a standardized note after each rule's Code line explaining how to exclude that rule from policy evaluation. The note documents three exclusion methods: by specific rule code, by entire package name, and by collection.

Regenerated all 49 package documentation pages via make generate-docs to include the new exclusion text.

---

Closes #1748

Post-script verification

• Branch is not main/master (agent/1748-add-exclusion-docs)
• Secret scan passed (gitleaks — 71f6e6cf3f4e90d51f66207404e70034b501b3f7..HEAD)
• Pre-commit hooks passed (authoritative run on runner)
• Tests ran inside sandbox

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 10:32 AM UTC · Completed 10:43 AM UTC
Commit: 47d3320 · View workflow run →

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
unit-tests	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fullsend-ai-review]

Review

Findings

Medium

• [technical accuracy in documentation] docs/asciidoc/package.template:27 — The template renders a literal placeholder @collection-name instead of actual collection names. The .Custom["collections"] field is available during template rendering (used by the isBuiltIn helper in asciidoc.go), so actual collection names could be rendered. Users cannot determine which collection(s) a rule belongs to from this text alone — they would need to look elsewhere, partially defeating the purpose of the documentation addition.
  Remediation: Use the template data to render actual collection names via a {{- with index .Custom "collections" }} block that iterates over collections and lists each with the @ prefix.

Low

• [edge case handling] docs/asciidoc/package.template:27 — Rules in the task, pipeline, stepaction, and build_task packages have no collections annotations, yet the generated documentation still claims users can "exclude by collection with @collection-name". This is misleading since those rules cannot be excluded by collection.
  Remediation: Wrap the collection exclusion text in a conditional that checks whether the rule has any collections defined, e.g., {{- with index .Custom "collections" }}...{{- end }}.