Pin alpine:3.23, multi-stage runtime, smoke test, fix arg drift

- Pin both stages to alpine:3.23 (was floating 'alpine').
- Multi-stage: separate runtime image without rust+cargo+sdk, just python3.
- venv for Python deps (PEP 668 on modern Alpine blocks system pip).
- start.sh: -c <fieldMappings.yaml> (was .json — upstream renamed),
  drop -t which now means --template (Jinja2) not tmpdir.
- test_smoke.sh: fetch Yamato sample-evtx on demand, scan, verify JSON
  + log produced, count Sigma rule hits.
- fetch-test-data.sh + .gitignore for test-data/.

Validated end-to-end on amd64 Linux: 5/5 PASS, 39 hits, Zircolite v3.6.3
with 2160 rules.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

start.sh

@@ -32,4 +32,13 @@ fi
 outputf="${output}/zircolite_$(date +%s)"
 echo "output is goint to : ${outputf}"
 
-python3 /opt/zircolite/zircolite.py --evtx /data --rules /opt/zircolite/rules/rules_windows_generic.json -c /opt/zircolite/config/fieldMappings.json  -o "${outputf}.json" -t "${output}/tmp" -l "${outputf}.log"
+# --evtx <data dir> ; -o <json output> ; -l <logfile> ; -c <field mappings>.
+# Older start.sh passed -t <tmpdir>, but in current zircolite -t means
+# --template (Jinja2) which expects --templateOutput as well. Tmp is no
+# longer user-controllable so we drop it.
+/opt/zircolite/venv/bin/python /opt/zircolite/zircolite.py \
+  --evtx /data \
+  --rules /opt/zircolite/rules/rules_windows_generic.json \
+  -c /opt/zircolite/config/fieldMappings.yaml \
+  -o "${outputf}.json" \
+  -l "${outputf}.log"