fix(check): collapse duplicate manual and OSV findings per package version

[garagon]

Summary

When a refreshed OSV snapshot catches up to a hand-curated manual advisory, the matcher correctly returns both records for the same (ecosystem, name, version, path) tuple. The check output layer was rendering each record as a separate Finding, so a single real-world exposure showed up twice in aguara check --fresh once OSV ingested a tuple already in the manual snapshot.

Where the fix lives

At the output boundary, not in the matcher.

• The matcher keeps returning every record so correlation consumers (existing analyzers and any future tools that iterate intel.Match) can still see the full set.
• The check / runner output layers collapse to one Finding (or Hit) per (ecosystem, name, version, path) tuple.

EmbeddedSnapshots() returns the manual snapshot first and OSV second, so hits[0] picks the curated advisory ID (e.g. SOCKET-*) over the OSV one (e.g. MAL-*) when both are present. The user-facing advisory token stays stable across aguara check and aguara check --fresh.

Sites touched

File	Path	Behaviour after
internal/incident/npm.go	installed-tree npm	one Finding per package
internal/incident/checker.go	PyPI site-packages	one Finding per package
internal/incident/checker.go	PyPI dist-info cache scan	one Finding per cache path (already capped by seen[path], now also short-circuits on first hit)
internal/packagecheck/runner.go	multi-ecosystem lockfile runner	one Hit per ref; version-alias loop now breaks on first match

Tests

• TestCheckNPM_CollapsesManualAndOSVDuplicate: synthetic manual + OSV snapshots covering the same package version. Asserts exactly one Finding and that the manual advisory ID wins the title.
• TestRunnerCollapsesMultipleIntelRecordsPerPackageRef: the same scenario routed through the packagecheck runner against the existing pnpm-mini-shai-hulud-antv fixture. Asserts one Hit and that the manual record wins.
• TestMatcherDistinctIDsAtSameTupleStaySeparate stays green: the matcher continues to return both records.
• TestRunner_ComposerAliasDoesNotDoubleCountFinding stays green: the version-alias dedup still works at the new layer.

Scope and what does not change

• JSON schema unchanged
• KnownCompromised unchanged
• OSV importer unchanged
• intel.Matcher unchanged

End-to-end

Before, with manual intel + OSV both covering an affected tuple:

aguara check /repo --ecosystem npm --fresh --format json
findings_count: 4
package A -> SOCKET-* and MAL-*  (2 findings)
package B -> SOCKET-* and MAL-*  (2 findings)

After:

findings_count: 2
package A -> SOCKET-*
package B -> SOCKET-*

Test plan

• go test -race -count=1 ./... clean
• go vet ./... clean
• golangci-lint run ./... 0 issues
• TestMatcherDistinctIDsAtSameTupleStaySeparate still green (correct invariant preserved)
• Docker E2E against ghcr.io/garagon/aguara:0.18.1 confirms 4 -> 2 findings on the --fresh path
• CI green on this PR