docs: rewrite evaluate_trails_with_opa tutorial to fix false-positive… (#220)

… compliance footgun

The previous tutorial used `allow if { count(violations) == 0 }`
throughout. This pattern silently grants compliance when the violations
rule body fails to fire -- for example when the attestation key is
wrong. The kosli-public/cli flow names its pull-request attestation
"pr", not "pull-request". Under the old policy, those trails were shown
as ALLOWED not because PRs had approvers, but because the violations
rule never matched and the empty set vacuously passed. The tutorial was
demonstrating the exact footgun it should have warned against.

Rewrites all policies to drive `allow` through positive assertions
(`every`) rather than absence of violations. Parameterises the
attestation name via --params so the policy works across orgs with
different naming conventions. Explains the three design rules (fail-safe
default, positive assertion, violations as diagnostics only) and adds a
missing-param fail-safe test. Also fixes a Rego v1 strict-mode compile
error: unused iteration variable replaced with `_`.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: JonJagger