chore(ci): add \validate:all\ + fix undefined \validate:monorepo\ reference

\`ci.yml\` had a \`pnpm run validate:monorepo\` step that referenced a
script defined nowhere in the repo — CI would fail at that step
whenever the validate job ran. Replacing it with a new bundled
\`validate:all\` script closes that gap and gives contributors a single
local command that mirrors what CI enforces.

- New \`validate:all\` chains the three fast repo-invariant checks
  (turbo recursion, pgSchema isolation, crypto registry) with fail-fast
  semantics. Runtime ~1s — suitable as a pre-push gate.
- \`validate:dockerfiles\` intentionally left out: its current output
  is 41 pre-existing "MISSING" warnings on two web Dockerfiles, which
  look like a validator-vs-wildcard-COPY mismatch rather than real
  issues. Keeping it as a standalone script so those can be
  triaged separately without blocking \`validate:all\`.
- ci.yml: four separate validate steps collapsed into one. The step
  rename also removes the dead \`validate:monorepo\` call.

Verified: \`pnpm run validate:all\` exits 0 in ~1s — 138 packages
scanned for turbo recursion, 727 TypeScript files for raw pgTable,
190 Dexie tables classified in the crypto registry (85 encrypted,
105 allowlisted plaintext).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -437,17 +437,8 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Validate monorepo best practices
-        run: pnpm run validate:monorepo
-
-      - name: Validate no recursive turbo calls
-        run: pnpm run validate:turbo
-
-      - name: Validate pgSchema isolation (no raw pgTable)
-        run: pnpm run validate:pg-schema
-
-      - name: Audit crypto registry (Dexie ↔ registry ↔ allowlist)
-        run: pnpm run check:crypto
+      - name: Validate monorepo invariants (turbo + pgSchema + crypto)
+        run: pnpm run validate:all
 
       - name: Type check
         run: pnpm run type-check