…model 3)

Wires the conformance scorer (sbom_conformance, merged in #409) into the
existing CycloneDX ingest pipeline (#406) and exposes the verdict:

- models/sbom_conformance.py + alembic 0033: one sbom_conformance row per
  ingested scan (scan_id UNIQUE FK CASCADE, denormalised project_id), holding
  result (pass|warn|fail), n_fail/n_warn, component_count, PURL/license/hash
  coverage, and the per-check JSONB array. Forward-only.

- tasks/ingest_sbom.py: a 'conformance' stage (progress 20) scores the ORIGINAL
  uploaded bytes and persists the verdict before component persistence. Verdict
  is advisory — a 'fail' is recorded + surfaced but does NOT abort matching.
  Persist is delete-then-insert so a Celery acks_late re-entry replaces the row
  (uq_sbom_conformance_scan_id) — _reset_scan_for_rerun does not touch it.

- GET /v1/projects/{project_id}/scans/{scan_id}/conformance (api/v1/sbom.py) +
  SbomConformanceRead schema. Existence-hide 404 for outsiders; the
  (scan_id, project_id) predicate rejects cross-project reads. OpenAPI snapshot
  updated.

- Tests: pipeline asserts the verdict row (result/coverage/checks) + a forced
  re-entry REPLACES it (no dupe). API tests cover the happy read, cross-team
  404 (permission-before-state), missing-verdict 404, wrong-project 404.

- docs (EN/KO): a 'conformance verdict' section on the SBOM-upload guide —
  endpoint, pass/warn/fail meaning, thresholds, advisory (non-blocking) note.