feat: expand parser fixture matrix and unify sudo signal semantics

[stacknil]

Closes #4
Closes #5

Summary

• expand sanitized sshd / pam_unix fixture coverage in both syslog_legacy and journalctl_short_full modes
• keep unknown-line telemetry deterministic and explicit
• move sudo handling onto the signal layer so detectors consume one unified input model
• preserve detector thresholds and existing report schema

What changed

• added dedicated parser fixture matrix files for syslog and journalctl short-full
• added parser tests for recognized vs unrecognized coverage and unknown-pattern buckets
• added SudoCommand and SudoSessionOpened signal kinds
• migrated sudo burst detection from raw Event input to normalized signal input

Behavior preserved

• detector thresholds unchanged
• report schema unchanged
• SSH/PAM auth signal behavior unchanged
• unsupported PAM session-close lines remain telemetry-only

Verification

• built with g++
• passed test_parser
• passed test_detector
• passed test_cli

Deferred

• sudo signal configurability via config.json
• broader signal renaming from AuthSignal to a more general type