Add negative-path validation coverage

[hicksy]

What this changes

The suite only tested acceptance, so a target that is too lenient (accepts malformed expressions, mis-accounts sizes, skips structural validation) still scored well. This adds the matching rejection coverage: begins_with operand types, contains() duplicate operands, redundant parentheses, size() UTF-16 counting, number byte-sizing, ExclusiveStartKey and Segment validation, and a small control-plane sweep. Error codes sit in the operation's own tier, exact messages in tier3.

Tests drafted with AI assistance (Claude Opus 4.7), characterised and validated against real AWS DynamoDB.

Closes #16.

Checklist

• New or modified tests run against real AWS DynamoDB and pass
• New or modified tests run against at least one emulator target and behave as expected
• If AI tools drafted or materially shaped this change, disclosed in the description above
• Linked issue or a short note explaining the motivation

Tier and scope

No tier definitions or pipeline changes. When the results table is regenerated, lenient targets gain fails: that is expanded coverage, not a regression. Ran against Dynoxide 0.9.x, where 13 of the new tests fail (redundant parens across expression contexts, contains() self-operand, non-string begins_with, size() UTF-16 counting, negative Segment); the rest pass. Dynoxide fixes are tracked separately.