Add SBOM artifact stage scope fixtures

[DENGXUELIN]

/claim #1608

Summary

• Adds artifact-stage and component-scope gates to sbom-analysis before vulnerability SLA, license severity, and overall supply-chain classification decisions.
• Adds output fields for artifact stage, scope buckets, and runtime artifact evidence so source/build/test SBOM findings are separated from deployed runtime risk.
• Adds vulnerable and benign fixtures for mixed-stage runtime misclassification versus correctly reconciled final-image/runtime scope evidence.

Why this improves the existing skill

A source-tree or build-stage SBOM can include linters, test fixtures, build tools, and excluded components that are absent from the deployed artifact. Conversely, final images can contain base packages missing from lockfile SBOMs. This patch keeps those evidence stages separate so runtime CVE SLA and shipped-license severity are based on the artifact that actually ships or runs.

Validation

• git diff --cached --check
• git diff --check origin/main...HEAD
• git merge-tree --write-tree origin/main HEAD
• Markdown fence balance check
• Added-line ASCII check
• Marker check for SBOM-SCOPE-01 through SBOM-SCOPE-06, Artifact Stage and Component Scope, and version: "1.0.1"
• Added-line sensitive/public-contact pattern scan

Bounty request: Improver Moderate ($100) if accepted/merged.