fix: mark MAL- advisories as unverifiable when package resolves from a private registry

[sonukapoor]

When a project pulls packages from a private registry (Artifactory, GitHub Packages, a corporate npm proxy), CVE Lite CLI was surfacing MAL- advisories for packages that share a name with known-malicious public npm packages but are completely different artifacts. The resolved URL in the lockfile points to the private registry, not npm, but the tool had no way to distinguish them.

Reported with three specific advisory IDs from a real enterprise environment where all three packages were pinned to trusted internal sources and confirmed non-malicious.

What changed

• PackageRef gains resolvedUrl?: string - populated from the resolved field in package-lock.json (v3 lockfiles only; Yarn/pnpm follow-up in separate PRs)
• When a MAL- advisory matches a package whose resolvedUrl does not start with https://registry.npmjs.org/, the finding is marked maliciousUnverifiable: true
• Terminal output renders these as yellow Unverifiable (private source) instead of red Malicious, with a message explaining the advisory could not be confirmed for this artifact
• HTML report renders a badge-warning badge with a tooltip explaining the uncertainty
• Normal MAL- findings from public npm are unchanged

What is NOT changed

• Any existing CVE/GHSA advisory handling
• Yarn, pnpm, or Bun lockfile parsers (resolvedUrl support for those is tracked separately)
• The maliciousUnverifiable flag is only ever set to true - never to false

Tests

• Parser test: resolvedUrl preserved from package-lock.json resolved field
• Scanner tests: flag set for private registry MAL-, not set for public npm MAL-, not set when no resolvedUrl, not set for non-MAL CVE from private registry
• Output test: getRecommendedAction returns unverifiable message for private registry findings
• HTML test: unverifiable badge renders correctly

Closes #586