Cap SPDX envelope unwrap depth to prevent quadratic re-parse

[andrew]

parseSPDX recursively unwrapped {"sbom":...} and {"predicate":...} envelopes with no depth limit. Each level re-ran json.Unmarshal on the full nested raw bytes, so a deeply nested input like {"sbom":{"sbom":{"sbom":...}}} produced quadratic parse work and could be used as a DoS vector.

The recursion is now a bounded loop capped at maxEnvelopeDepth = 3, which is enough for the real-world cases (GitHub dependency-graph wraps once under sbom, in-toto attestations wrap once under predicate, and at most you'd see one inside the other). Anything deeper falls through to ErrUnrecognized.

Added TestSPDXGitHubEnvelope to confirm 1-2 levels of sbom wrapping still parse correctly, and TestSPDXEnvelopeDepthLimit to confirm a 100-level nest is rejected immediately.