KC-1304: Enforce enterprise password and restrict record-type policies on nsf-record commands

[sshrushanth-ks]

Summary

The nsf-record-add and nsf-record-update now enforce GENERATED_PASSWORD_COMPLEXITY and RESTRICT_RECORD_TYPES, matching Vault UI. Weak passwords warn and block unless --force; restricted record types always block. $GEN uses the role password policy.

Changes

• Added RecordTypeEnforcer.enforce() to nsf-record-add and nsf-record-update to reject restricted record types before the API call
• Added PasswordComplexityEnforcer.get_policy() and validate_record() to nsf-record-add and nsf-record-update to validate passwords against the role complexity policy
• Wired $GEN in NSF commands to pass policy=self._password_policy so generated passwords follow enterprise rules
• Added merged-record validation in nsf-record-update so password checks apply to the full updated record, not just changed fields
• Fixed RecordTypeEnforcer.get_restricted_record_types() to resolve record-type IDs using scoped record_type_cache keys from sync_down (recordTypeId + scope * 1_000_000)
• Fixed legacy/general $GEN in record_edit.py to pass the password policy into generate_password()
• Added unit tests for restricted record types, weak-password blocking, --force bypass, and policy-driven $GEN on NSF record add/update