chore: Follow-up hardening bundle: introspection, validation, CI, and metadata

[philippemnoel]

Summary

This bundles all follow-up hardening work into a single PR as requested.

Core code hardening

• Stop relying on private SQLAlchemy Select attributes by adding has_order_by() / has_limit() helpers and using them in facets/pushdown validation.
• Replace fragile BM25 index introspection (pg_indexes string parsing) with structured pg_catalog introspection.
• Harden BM25 expression parsing for casts, JSON key expressions, qualified refs, and quoted identifiers.
• Make Alembic BM25 autogenerate consume the same DB-native introspection path and use safer qualifier stripping.

API validation and behavior safeguards

• Add reusable require_non_empty_string() validator.
• Tighten search argument validation across term/phrase/regex/parse/prox/range/MLT helpers.
• Tighten snippet/snippets/agg input validation in pdb.py.

Test quality improvements

• Strengthen integration assertions from weak non-empty checks to deterministic semantic checks.
• Add/expand unit tests for indexing parsing, alembic normalization, and new validation rules.

CI and repo hygiene

• Enforce Codecov status checks (informational: false).
• Harden GitHub Actions permissions with explicit least-privilege workflow permissions.
• Improve CI matrix coverage (Python 3.10, 3.11, 3.12) and narrow push trigger to main.
• Pin integration image to paradedb/paradedb:0.21.10-pg18 and update DSN to postgresql+psycopg://....
• Add project metadata/links in pyproject.toml and normalize changelog structure.

Validation

• ruff check .
• python3 -m compileall paradedb tests

Notes

• pytest is not available in the current system-managed Python environment in this runner, so full test execution could not be run locally here.

[ankitml]

This is pretty good one. Minor changes and good to go.