[codex] Include SARIF in example artifact checks

[stacknil]

Brief Design Summary

This PR extends the example artifact regeneration check to include the strict-policy SARIF sample.

scripts/regenerate-example-artifacts.py --check now regenerates examples/sample-sarif.sarif through the public CLI and normalizes originalUriBaseIds.%SRCROOT%.uri to file:///__PROJECT_ROOT__/ so checked-in output does not depend on a maintainer's local checkout path.

The docs now describe that the regeneration script covers local JSON, Markdown, summary, policy sidecar, and strict-policy SARIF examples. Provenance-aware and Scorecard-aware enriched SARIF samples remain covered by their focused golden tests.

Files Changed

• tools/sbom-diff-and-risk/scripts/regenerate-example-artifacts.py
• tools/sbom-diff-and-risk/docs/example-artifact-regeneration.md
• tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md
• tools/sbom-diff-and-risk/README.md

Validation

cd tools/sbom-diff-and-risk
python scripts/regenerate-example-artifacts.py --check
python -m pytest
python -m build
$files = Get-ChildItem dist -File | ForEach-Object { $_.FullName }
python -m twine check $files
git diff --check

Results:

• example artifact check passed and included strict-policy SARIF report
• python -m pytest: 163 passed
• python -m build: passed, produced sbom_diff_and_risk-0.9.0 wheel and sdist
• python -m twine check: passed for wheel and sdist
• git diff --check: passed
• package version remains 0.9.0
• .github/workflows unchanged
• broad Unicode Cf/Cc scan found no non-tab/newline control or format characters in touched files

Out of Scope

• No runtime CLI behavior changes
• No report schema changes
• No example output content changes
• No workflow changes
• No package version bump
• No tag or GitHub Release
• No PyPI/TestPyPI publishing
• No production PyPI workflow