feat(storage): per-finding hexad emission (issue #33 S1)

Adds a per-WeakPoint hexad path to persist_assemblyline_report so a
batch scan can persist one hexad per finding in addition to the existing
aggregate hexad. Subject identity is `finding:<repo>:<file>:<line>:<category>`,
chosen for cross-run stability so the upcoming S2 (campaign register-pr)
and S3 (query) slices can join on it without diffing JSON.

New public surface:
- HexadSemantic gains an optional `finding: Option<FindingSemantic>`
  (additive, skip_serializing_if = none → existing consumers unaffected).
- FindingSemantic carries finding_id / repo / file / line / category /
  rule_id / rule_name / severity / description / first_seen_run /
  last_seen_run / framework. rule_id and rule_name reuse the canonical
  SARIF mapping (sarif.rs::rule_id / rule_name now pub(crate)).
- build_finding_hexads(report) -> Vec<PanicAttackHexad>.
- STORE_FINDING_HEXADS_ENV = "PANIC_ATTACK_STORE_FINDING_HEXADS" — when
  set non-empty AND StorageMode::VerisimDb is configured,
  persist_assemblyline_report writes one file per finding under
  `<dir>/hexads/findings/`.

Behaviour preserved:
- Default path unchanged (env var off → no per-finding writes).
- Aggregate hexad still emitted in every VerisimDb run.
- Suppressed WeakPoints are skipped, keeping the store aligned with
  fleet/CI counts.

S1 sets first_seen_run == last_seen_run; back-stamping from a prior
hexad is S2's job (per the issue), not S1's.

Tests: 7 new (id stability, category discrimination, count per WP,
suppression skip, canonical rule_id/name, file write + round-trip,
env-var default-off). Full suite: 215 lib + 13 + 16 + 6 + 12 + 3 + 7
+ 12 + 14 + 20 + 10 + 8 + 22 + 22 + 12 + 2 doc — all green. Clippy
clean with -D warnings.

Refs #33.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

src/report/sarif.rs

@@ -112,7 +112,7 @@ pub struct SarifRegion {
 }
 
 /// Map WeakPointCategory to a stable rule ID
-fn rule_id(category: &WeakPointCategory) -> &'static str {
+pub(crate) fn rule_id(category: &WeakPointCategory) -> &'static str {
     match category {
         WeakPointCategory::UncheckedAllocation => "PA001",
         WeakPointCategory::UnboundedAllocation => "PA001b",
@@ -144,7 +144,7 @@ fn rule_id(category: &WeakPointCategory) -> &'static str {
 }
 
 /// Map WeakPointCategory to a human-readable name
-fn rule_name(category: &WeakPointCategory) -> &'static str {
+pub(crate) fn rule_name(category: &WeakPointCategory) -> &'static str {
     match category {
         WeakPointCategory::UncheckedAllocation => "unchecked-allocation",
         WeakPointCategory::UnboundedAllocation => "unbounded-allocation",