chore: align PolicyRef with OCI reference semantics

[marcusburghardt]

Summary

PR #595 improved OCI reference parsing by delegating to oras-go, but two follow-up improvements would bring PolicyRef into full alignment with OCI Distribution Spec semantics.

Motivation

• The @version notation (e.g., registry.com/repo@v1.0) conflicts with OCI semantics where @ is exclusively a digest separator. Users familiar with OCI tooling (oras, crane, skopeo) may find this ambiguous.
• PolicyRef.Version conflates tags (mutable pointers) and digests (immutable content addresses) into a single field. This prevents complyctl from distinguishing "pin to exact content" from "track latest of this tag" if that distinction is ever needed.

Proposed Changes

1. Deprecate @version notation

• Emit a deprecation warning when ParsePolicyRef encounters a non-digest @ suffix (e.g., @v1.0), advising the user to switch to :tag syntax (e.g., :v1.0).
• Document the deprecation in docs/ and CHANGELOG.md.
• Set a target release for removal of @version support (suggest 2 releases from when the warning is introduced).

2. Split PolicyRef.Version into Tag and Digest fields

• Replace the single Version field with separate Tag string and Digest string fields on PolicyRef.
• Update ParsePolicyRef to populate the correct field based on oras-go output (orasRef.Reference is a tag when orasRef.ReferenceType() returns Tag, digest otherwise).
• Update BuildLookupRef to use the struct fields instead of prefix checking.
• Update all callers that read ref.Version to use ref.Tag or ref.Digest as appropriate.

3. Consistent error reporting in doctor.go

• Update CheckPolicyActivePeriod and CheckComplypacks to report ParsePolicyRef failures as CheckResult{Status: StatusFail} matching the pattern in CheckPolicyVersions.
• Update CheckVariables to include a specific error message (not just increment resolveFailures).

Context

• PR fix(bug): updates support for oci refs #595: fix(bug): updates support for oci refs
• Issue ComplyTime workspace config doesn't support complypacks OCI ref #594: ComplyTime workspace config does not support complypacks OCI ref
• Design doc: openspec/changes/fix-complypack-oci-ref/design.md (Risks / Trade-offs section)