[Security audit] Enrich finding records with triage, evidence, and supply-chain metadata

[cssbruno]

Problem

Audit finding records currently carry the core fields needed for pass/fail output, but they do not include enough stable metadata for long-term triage, suppression auditing, code-scanning correlation, or supply-chain-style evidence tracking.

Current Shape

Findings include fields such as code, severity, target, policy, rule, message, source, and remediation. They do not yet consistently include stable fingerprints, schema/tool version, policy/posture digest, build mode, target, confidence, evidence classification, CWE/OWASP mapping, suppression/waiver details, or first/last-seen information.

Expected Fix

Extend audit finding records and report output with explicit triage and evidence metadata while keeping redaction guarantees for secrets and sensitive response data.

Acceptance Criteria

• Findings include a stable fingerprint suitable for tracking across line movement.
• Reports include schema version, tool/compiler version, policy digest, posture digest, build mode, and target/module context.
• Findings include confidence and evidence classification, aligned with [Security audit] Add evidence classification to posture and findings #556.
• Security findings can include CWE and OWASP mapping where meaningful.
• Suppression/waiver details include owner, justification, expiry, ticket/link, and digest scope, aligned with [Security audit] Replace baseline overrides and blanket --allow-insecure with explicit waivers #555.
• Reports support first-seen/last-seen metadata or a documented diff/report-store mechanism.
• JSON/SARIF output exposes the metadata without leaking secret values.

Related: #558 tracks JSON Schema/SARIF/fingerprint/diff mode, #556 tracks evidence classification, and #555 tracks explicit waivers.