feat: hourly CVE alerting with notification bell and API

Implements the full CVE alerting pipeline:

CVE Monitor (scheduler.rs):
- Replaces stub monitor_cves with actual OSV.dev scanning of all SBOM entries
- Runs hourly by default (CVE_MONITOR_SCHEDULE, was daily)
- Creates CveNotification for each new CVE (deduped by cve_id+repo+package)
- Updates SBOM entries with discovered vulnerabilities
- Upserts CveAlert records

Notification Model (compliance-core/models/notification.rs):
- CveNotification with status lifecycle: new → read → dismissed
- NotificationSeverity (Low/Medium/High/Critical) from CVSS scores
- parse_severity helper for OSV/NVD severity mapping

API Endpoints (5 new routes):
- GET /api/v1/notifications — List with status/severity/repo filters
- GET /api/v1/notifications/count — Unread count (for badge)
- PATCH /api/v1/notifications/:id/read — Mark as read
- PATCH /api/v1/notifications/:id/dismiss — Dismiss
- POST /api/v1/notifications/read-all — Bulk mark read

Dashboard Notification Bell:
- Floating bell icon (top-right) with unread count badge
- Dropdown panel showing CVE details: severity, CVSS, package, repo, summary
- Dismiss individual notifications
- Auto-marks as read when panel opens
- Polls count every 30 seconds

Also:
- Fix Dockerfile.dashboard: revert to dioxus-cli 0.7.3 --locked
- Add cve_notifications collection with unique + status indexes
- MongoDB indexes for efficient notification queries

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

compliance-dashboard/assets/main.css

@@ -3847,3 +3847,33 @@ tbody tr:last-child td {
 .help-chat-send:not(:disabled):hover {
     background: var(--accent-hover);
 }
+
+/* ═══════════════════════════════════════════════════════════════
+   NOTIFICATION BELL — CVE alert dropdown
+   ═══════════════════════════════════════════════════════════════ */
+.notification-bell-wrapper { position: fixed; top: 16px; right: 28px; z-index: 48; }
+.notification-bell-btn { position: relative; background: var(--bg-elevated); border: 1px solid var(--border); border-radius: 10px; padding: 8px 10px; color: var(--text-secondary); cursor: pointer; display: flex; align-items: center; transition: color 0.15s, border-color 0.15s; }
+.notification-bell-btn:hover { color: var(--text-primary); border-color: var(--border-bright); }
+.notification-badge { position: absolute; top: -4px; right: -4px; background: var(--danger); color: #fff; font-size: 10px; font-weight: 700; min-width: 18px; height: 18px; border-radius: 9px; display: flex; align-items: center; justify-content: center; padding: 0 4px; font-family: 'Outfit', sans-serif; }
+.notification-panel { position: absolute; top: 44px; right: 0; width: 380px; max-height: 480px; background: var(--bg-secondary); border: 1px solid var(--border-bright); border-radius: 12px; overflow: hidden; box-shadow: 0 12px 48px rgba(0,0,0,0.5); display: flex; flex-direction: column; }
+.notification-panel-header { display: flex; align-items: center; justify-content: space-between; padding: 12px 16px; border-bottom: 1px solid var(--border); font-family: 'Outfit', sans-serif; font-weight: 600; font-size: 14px; color: var(--text-primary); }
+.notification-close-btn { background: none; border: none; color: var(--text-secondary); cursor: pointer; padding: 2px; }
+.notification-panel-body { overflow-y: auto; flex: 1; padding: 8px; }
+.notification-loading, .notification-empty { display: flex; flex-direction: column; align-items: center; justify-content: center; padding: 32px 16px; color: var(--text-secondary); font-size: 13px; gap: 8px; }
+.notification-item { padding: 10px 12px; border-radius: 8px; margin-bottom: 4px; background: var(--bg-card); border: 1px solid var(--border); transition: border-color 0.15s; }
+.notification-item:hover { border-color: var(--border-bright); }
+.notification-item-header { display: flex; align-items: center; gap: 8px; margin-bottom: 4px; }
+.notification-sev { font-size: 10px; font-weight: 700; padding: 2px 6px; border-radius: 4px; text-transform: uppercase; letter-spacing: 0.5px; font-family: 'Outfit', sans-serif; }
+.notification-sev.sev-critical { background: var(--danger-bg); color: var(--danger); }
+.notification-sev.sev-high { background: rgba(255,140,0,0.12); color: #ff8c00; }
+.notification-sev.sev-medium { background: var(--warning-bg); color: var(--warning); }
+.notification-sev.sev-low { background: rgba(0,200,255,0.08); color: var(--accent); }
+.notification-cve-id { font-size: 12px; font-weight: 600; color: var(--text-primary); font-family: 'JetBrains Mono', monospace; }
+.notification-cve-id a { color: var(--accent); text-decoration: none; }
+.notification-cve-id a:hover { text-decoration: underline; }
+.notification-cvss { font-size: 10px; color: var(--text-secondary); margin-left: auto; font-family: 'JetBrains Mono', monospace; }
+.notification-dismiss-btn { background: none; border: none; color: var(--text-tertiary); cursor: pointer; padding: 2px; margin-left: 4px; }
+.notification-dismiss-btn:hover { color: var(--danger); }
+.notification-item-pkg { font-size: 12px; color: var(--text-primary); font-family: 'JetBrains Mono', monospace; }
+.notification-item-repo { font-size: 11px; color: var(--text-secondary); margin-bottom: 4px; }
+.notification-item-summary { font-size: 11px; color: var(--text-secondary); line-height: 1.4; display: -webkit-box; -webkit-line-clamp: 2; -webkit-box-orient: vertical; overflow: hidden; }