feat: cascade verify detects drift in generated workflows

[joshua-temple]

Generated workflows are marked as cascade-owned, but nothing checks that the committed
files still match what the manifest would produce. Hand edits and stale checkouts drift
silently until a release behaves unexpectedly.

Add a read-only cascade verify subcommand that regenerates the managed workflows in
memory and compares them against the files on disk, reporting any difference and exiting
non-zero on drift. It is the natural companion to a continuous-integration check that
keeps generated files honest.

Proposed approach:

• New verify subcommand that runs the same generation path and diffs against committed
  files for every managed output (orchestrate, promote, rollback, and the other generated
  workflows and the managed action).
• Optionally enrich the existing managed header with the producing version so drift
  reports can name the expected generator version.
• Keep it strictly read-only.

Acceptance criteria:

• verify exits zero when committed files match generation and non-zero with a clear diff
  when they do not.
• The command covers every file the generator emits.
• An e2e scenario edits a generated file and asserts verify fails, then regenerates and
  asserts it passes.