Implement CAMARA Validation Framework v1

[hdamker]

Problem description

CAMARA needs automated validation of API specifications across PR, pre-snapshot, and release review contexts. The current approach (MegaLinter-based pr_validation v0) covers only PR-time linting with limited configurability and no integration with the release automation workflow.

Part of #191 (Develop automation support in support of release management). Supersedes #353 (C1 workflow), which covered the PR-time subset of this scope.

Possible evolution

Implement the validation framework v1 as described in #447 (requirements and detailed design). Key capabilities:

• Three execution contexts: PR-time (standard profile), pre-snapshot (strict profile), release review PR (subset checks)
• Bundling pipeline: resolve external $ref to produce standalone API specs, replacing manual copy-paste of common schemas
• Findings model: structured output with severity levels, validation profiles, and applicability conditions
• Spectral ruleset pre-selection by Commonalities version (r3.4, r4.x)
• Central configuration: per-repo validation settings managed in the tooling repository
• Four-stage rollout: dark → advisory → standard → blocking, controlled per repository
• Dedicated validation GitHub App for findings surfacing on fork PRs (annotations, comments, commit status)
• Release automation handoff: bundled specs produced once during validation, consumed by snapshot creation

Dependencies

• docs: add validation framework requirements and detailed design #447 — requirements and detailed design (under review)
• Support Commonalities consumption and bundling workflow across CAMARA repositories #435 — Commonalities consumption and bundling design
• Implement PR Validation Framework (C1 Workflow) #353 — original C1 workflow scope (subsumed by this issue)
• Dedicated validation GitHub App (to be created)
• Commonalities audit of existing Spectral rules against design guides

Additional context

The v1 caller workflow runs alongside the existing v0 caller during transition. Per-repo progression through rollout stages allows controlled adoption across 60+ repositories. v0 is removed per-repo after v1 is validated and blocking.