feat: Add support for scanning GGUF models from OCI registries

[spiffcs]

Summary

This PR follows up on #4279 by adding support for a new source type.

With this change users can do the following: syft -o json docker.io/ai/qwen3-vl | jq .:

They'll get an SBOM with a single package showing the gguf model and details for the model pulled from https://hub.docker.com/u/ai

Example of metadata extracted

 "metadata": {
        "modelFormat": "gguf",
        "modelName": "Qwen3-Vl-8B-Instruct",
        "modelVersion": "unknown",
        "hash": "321c13d3e93151b5",
        "license": "apache-2.0",
        "ggufVersion": 3,
        "architecture": "qwen3vl",
        "quantization": "Q4_K_M",
        "parameters": 8190735360,
        "tensorCount": 399,
        "header": {
          "general.base_model.0.name": "Qwen3 VL 8B Instruct",
          "general.base_model.0.organization": "Qwen",
          "general.base_model.0.repo_url": "https://huggingface.co/Qwen/Qwen3-VL-8B-Instruct",
          "general.base_model.count": 1,
          "general.basename": "Qwen3-Vl-8B-Instruct",
          "general.file_type": 15,
          "general.finetune": "Instruct",
          "general.quantization_version": 2,
          "general.quantized_by": "Unsloth",
          "general.repo_url": "https://huggingface.co/unsloth",
          "general.size_label": "8B",
          "general.tags": {
            "type": 8,
            "len": 2,
            "startOffset": 741,
            "size": 41
          },
          "general.type": "model",
          "quantize.imatrix.chunks_count": 694,
          "quantize.imatrix.dataset": "unsloth_calibration_Qwen3-VL-8B-Instruct.txt",
          "quantize.imatrix.entries_count": 252,
          "quantize.imatrix.file": "Qwen3-VL-8B-Instruct-GGUF/imatrix_unsloth.gguf",
          "qwen3vl.attention.head_count": 32,
          "qwen3vl.attention.head_count_kv": 8,
          "qwen3vl.attention.key_length": 128,
          "qwen3vl.attention.layer_norm_rms_epsilon": 0.000001,
          "qwen3vl.attention.value_length": 128,
          "qwen3vl.block_count": 36,
          "qwen3vl.context_length": 262144,
          "qwen3vl.embedding_length": 4096,
          "qwen3vl.feed_forward_length": 12288,
          "qwen3vl.n_deepstack_layers": 3,
          "qwen3vl.rope.dimension_sections": {
            "type": 5,
            "len": 4,
            "startOffset": 1268,
            "size": 16
          },
          "qwen3vl.rope.freq_base": 5000000,
         "tokenizer.ggml.add_bos_token": false,
          "tokenizer.ggml.bos_token_id": 151643,
          "tokenizer.ggml.eos_token_id": 151645,
          "tokenizer.ggml.merges": {
            "type": 8,
            "len": 151387,
            "startOffset": 3197544,
            "size": 2731548
          },

This PR adds support for scanning OCI model artifacts (specifically GGUF-based AI models) stored in OCI registries. The
implementation enables Syft to extract SBOM information from AI models without downloading the entire model file—only
the GGUF headers are fetched using a lazy reader that closes after we've read all the header bytes.

Key changes:

• New ocimodelsource package implementing a source provider for OCI model artifacts
• Registry client that fetches only GGUF headers (up to 8MB) instead of full model files
• New OCIMediaTypeResolver interface and ContainerImageModel file resolver for media type-based file discovery
• Extended generic cataloger with WithParserByMediaType() to support cataloging by OCI media type
• Post-processor for GGUF cataloger to merge metadata found from multi-layer model artifacts

OCI Model Source

This new source type enables scanning AI models stored as OCI artifacts in container registries (like Docker Hub or other OCI registries).

How it works:

1. Detection: Identifies model artifacts by checking if the manifest's config media type starts with
   application/vnd.docker.ai.model.config.*
2. Selective fetching: Instead of downloading entire GGUF layers (often 4-70GB), it uses HTTP range requests to fetch
   only the first 8MB containing the GGUF header metadata. The download is terminated early by closing the reader after
   reading the header bytes.
3. Temporary storage: Headers are written to temp files, keyed by the layer digest, and cleaned up when the source is
   closed.
4. File resolver: A new ContainerImageModel resolver implements both file.Resolver and file.OCIMediaTypeResolver,
   allowing catalogers to discover layers by OCI media type (application/vnd.docker.ai.gguf.v3) rather than filesystem
   paths.
5. Provider integration: Registered as the oci-model provider, positioned after the regular pull providers in the source
   provider chain—so normal container images are handled first, and this kicks in only for artifacts with model-specific
   media types. It also makes it so that for syft's current MOST common cases (non ai containers) we're not adding extra work.

Keys Goals:

• Scanning a 70GB LLaMA model takes seconds instead of minutes
• No disk space needed for full model storage
• Works with Docker's AI model packaging spec and Ollama registries

[wagoodman]

we should take a pass to unexport whatever doesn't need to be in the public API

[spiffcs]

First big change to make here is how the Provider and Source interact. Provider should be thin and call Source, Source should do most of the work, provider should return the source.Source answer.