Add classifier fail-closed policy foundation

[Muhammad-usman92]

Summary

Adds the status-first foundation for classifier failures. Classifier outages are now represented as ERROR verdicts with empty MAD codes, backed by additive proto fields, generated bindings, ledger-tracked migrations, store/API support, and engine error semantics that no longer fabricate benign M0 results.

Test plan

• go test ./... from backend
• Migration runner tests, including double-run safety
• Populated DB upgrade test for verdict table rebuild
• Engine classifier failure tests

Checklist

• CLA signed
• Tests pass locally
• Docs updated where needed
• British English; no em-dashes; no marketing fluff

[yanny-sec]

The PR looks good so far. A few things:

• The new migration is destructive so I'd like a test that are run against embedded migration (migrations.Files) to a DB that's in the pre 002 migration state with data in it
• Make the migration safe to re-run if the process is killed mid-way. The next run shouldn't fail at "column already exists"
• setup.py uses interpolation instead of parameterisation. For security and consistency with the Go code, let's make it use parameters.

[Muhammad-usman92]

The PR looks good so far. A few things:

• The new migration is destructive so I'd like a test that are run against embedded migration (migrations.Files) to a DB that's in the pre 002 migration state with data in it
• Make the migration safe to re-run if the process is killed mid-way. The next run shouldn't fail at "column already exists"
• setup.py uses interpolation instead of parameterisation. For security and consistency with the Go code, let's make it use parameters.

Thanks for the feedback,

I added embedded migration tests for a populated pre-002 DB, made migration 002 recover cleanly after an interrupted run, and switched setup.py to parameterized queries.