fix(scanner): route non-CVE findings out of Supply Chain Audit section

AI-scanner and other non-package findings surfaced during the Pass 2 deep
rescan (full-filesystem) were rendered under "Supply Chain Audit (CVEs)"
because the frontend filtered that section purely by scan_pass === 2.
Introduce a `supply_chain_audit` flag set by the backend only for findings
with a CVE-prefixed rule ID or a populated PackageName, and group by
threat_type in the UI instead. Adds an "Other Findings" bucket so AI
findings classified as `uncategorized` stay visible.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>