[codex] Add policy decision CI cookbook

[stacknil]

Brief Design Summary

This PR adds a docs-only CI cookbook for policy decision explanation fields in report.json.

The cookbook shows how CI consumers can read summary.policy, collect blocking_findings, warning_findings, and suppressed_findings, and print stable fields such as policy_rule, decision_reason, severity_source, observed_value, and matched_threshold.

It links the cookbook from the tool README, report schema, policy decision explainability guide, reviewer evidence pack, and summary-json cookbook. It keeps the snippets scoped to local policy interpretation and explicitly avoids dependency safety or CVE claims.

No runtime behavior, CLI flags, JSON schema, workflows, package metadata, release tags, GitHub Releases, or publishing status changed.

Files Changed

• tools/sbom-diff-and-risk/docs/policy-decision-ci-cookbook.md
• tools/sbom-diff-and-risk/README.md
• tools/sbom-diff-and-risk/docs/policy-decision-explainability.md
• tools/sbom-diff-and-risk/docs/report-schema.md
• tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md
• tools/sbom-diff-and-risk/docs/summary-json-ci-cookbook.md

Validation

• git diff --check passed.
• Confirmed relative Markdown links resolve.
• Broad Unicode Cf/Cc scan found no non-tab/newline control or format characters.
• Confirmed the new cookbook has no source lines over 120 characters.
• Ran a focused smoke command with examples/policy-strict.yml; it wrote outputs/policy-report.json, returned the expected policy failure exit code, and the generated policy findings contained decision_reason and policy_rule.
• Confirmed package metadata and runtime version remain 0.8.0.
• Confirmed no workflow files changed and no production PyPI workflow exists.
• No Python test suite run because this is docs-only.

Out of Scope

• No runtime behavior changes
• No CLI behavior changes
• No JSON schema changes
• No workflow changes
• No package version bump
• No tag or GitHub Release
• No PyPI/TestPyPI publishing
• No production PyPI workflow