Pin alpine:3.23, multi-stage runtime, smoke test, fix arg drift

- Pin both stages to alpine:3.23 (was floating 'alpine').
- Multi-stage: separate runtime image without rust+cargo+sdk, just python3.
- venv for Python deps (PEP 668 on modern Alpine blocks system pip).
- start.sh: -c <fieldMappings.yaml> (was .json — upstream renamed),
  drop -t which now means --template (Jinja2) not tmpdir.
- test_smoke.sh: fetch Yamato sample-evtx on demand, scan, verify JSON
  + log produced, count Sigma rule hits.
- fetch-test-data.sh + .gitignore for test-data/.

Validated end-to-end on amd64 Linux: 5/5 PASS, 39 hits, Zircolite v3.6.3
with 2160 rules.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fetch-test-data.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# Pull the upstream EVTX sample bundle (Yamato Security's curated bundle of
+# DeepBlueCLI, EVTX-ATTACK-SAMPLES, EVTX-to-MITRE-Attack, plus their own).
+set -e
+cd "$(dirname "$0")"
+mkdir -p test-data
+[ -d test-data/sample-evtx ] || \
+  git clone --depth=1 https://github.com/Yamato-Security/hayabusa-sample-evtx.git test-data/sample-evtx
+echo "ready: test-data/sample-evtx"