Warn-mode policy violations not surfaced in install output (silent)

[danielmeppiel]

Discovered during W4 live matrix on PR #832

When org policy has enforcement: warn and an apm install triggers a violation, the violation is collected by logger.policy_violation(severity='warn') and pushed to logger.diagnostics, but the user-facing install summary (rendered by apm_diagnostics) does not show it.

Reproduction

DevExpGbb/.github/apm-policy.yml with:

enforcement: warn
dependencies:
  deny: ['microsoft/apm-sample-package']

apm.yml with:

dependencies:
  apm: ['microsoft/apm-sample-package']

apm install --verbose:

• Verbose log shows [i] Policy: org:DevExpGbb/.github -- enforcement=warn
• No [!] Policy violation line is emitted to stdout
• Install proceeds (correct)
• Final summary shows no policy issues (incorrect — should warn)

Expected

Warn-mode violations should surface visibly in the final install summary so a developer notices and pins/aligns or asks for an exemption before CI fails on apm audit --ci.

Notes

• This blind spot was flagged in the C3 review of Enforce apm-policy.yml at apm install time, not only in apm audit --ci #827 as pre-existing, NOT introduced by Enforce apm-policy.yml at apm install time, not only in apm audit --ci #827. C3 fix Add ARM64 Linux support to CI/CD pipeline #4 correctly wires fail_fast=False so all violations are collected; the gap is in the rendering layer (separate DiagnosticCollector).
• Block-mode violations DO surface correctly (different code path, immediate stop).
• The discovered 'str' object has no attribute 'get' error on apm install --mcp <allowed-server> (when registry lookup happens for an allowed-by-policy server) is a separate install bug, not policy-related.

Acceptance

• Warn-mode policy violations appear in the -- Diagnostics -- section of apm install output.
• Same per-violation formatting as block mode (denied-by-pattern, allow-list, etc.).
• No regression in block-mode behavior.

Filed as W4-live follow-up alongside #829 and #831.