Add Phase 3 network foundation slices

[TacoRocket]

What changed

• added the Phase 3 nics, endpoints, and network-ports slices as one network foundation branch
• wired the new commands through CLI, registry, help, table rendering, output writing, schemas, fixtures, and goldens
• documented a deferred network-effective future candidate for deeper Azure effective-ingress analysis

Why it changed

• Phase 3 starts by building operator-first network context in a sequence that reuses existing VM and workload plumbing
• nics establishes attachment and network-boundary evidence
• endpoints surfaces reachable IP and hostname entry points
• network-ports adds likely inbound allow evidence from visible NIC and subnet NSGs without over-claiming full effective reachability

Implementation notes

• findings remain intentionally narrow for these slices; the evidence is exposed, but stronger exposure claims are deferred until later network analysis exists
• network-ports now avoids falsely claiming no NSG visibility when a subnet NSG is visible but has no matching allow rules
• NSG allow-source labels include resource_group/name to avoid ambiguity when names repeat across groups

Validation

• python3 -m pytest tests/test_collectors.py tests/test_golden_outputs.py tests/test_contract_schemas.py tests/test_cli_smoke.py tests/test_help.py tests/test_terminal_ux.py tests/test_models.py
• push guardrail checks: lint passed and pre-push tests passed (83 passed, 2 deselected)

Notes

• unrelated in-flight closeout files were intentionally left out of this PR
• one non-behavioral wrap in older src/azurefox/correlation/findings.py was applied only to satisfy the repo push guardrail on the mixed worktree