fix: add tmpVolume support to brainstore reader and writer

[wadhah mahrouk (wadhah101)]

Summary

• Add tmpVolume configuration to brainstore reader and writer deployments, matching the existing API tmpVolume pattern
• When enabled, mounts a writable emptyDir at /tmp — required when readOnlyRootFilesystem is true for CEL policy compliance
• Fix nil pointer error in tmpVolume defaults: changed all three tmpVolume configs (API, reader, writer) from fully commented-out to actual default values (enabled: false), preventing template rendering failures when tmpVolume is not explicitly set
• Update the CEL example values to include tmpVolume for both brainstore reader and writer

The require-readonly-root-filesystem CEL policy requires all containers to use read-only root filesystems. When enabled, processes that write to /tmp fail unless a writable volume is mounted there. The API deployment already had this feature; this PR extends it to brainstore reader and writer.

Changes

• braintrust/values.yaml — Added tmpVolume defaults (enabled: false) under api, brainstore.reader, and brainstore.writer (previously fully commented out, which caused nil pointer errors during helm template)
• braintrust/templates/brainstore-reader-deployment.yaml — Added conditional tmp-volume volumeMount and volume
• braintrust/templates/brainstore-writer-deployment.yaml — Added conditional tmp-volume volumeMount and volume
• braintrust/examples/google-autopilot-cel/values.yaml — Enabled tmpVolume for both reader and writer in the CEL example

How to test

• helm template with default values renders without errors and excludes tmp-volume
• helm template --set brainstore.writer.tmpVolume.enabled=true --set brainstore.writer.tmpVolume.sizeLimit=1Gi includes the /tmp mount and emptyDir volume with sizeLimit
• helm template -f examples/google-autopilot-cel/values.yaml renders both reader and writer with tmp-volume correctly