Fix CVE schema taxonomy violations: lowercase severity, document product_name index, add repos.json

[Copilot]

Three taxonomy consistency issues in the CVE schema identified in dotnet/core#10327.

Severity case normalization (breaking)

cve.json used uppercase "HIGH", "CRITICAL" etc. in disclosures[].cvss.severity and severity_cves keys, violating the kebab-case-lower rule established by severity.json. Lowercased both to match the taxonomy.

// Before
"severity": "HIGH"
"severity_cves": { "HIGH": [...], "CRITICAL": [], "MEDIUM": [], "LOW": [] }

// After
"severity": "high"
"severity_cves": { "high": [...], "critical": [], "medium": [], "low": [] }

product_name{} documented as computed index

Added an Indexes section to dotnet-guidance.md clarifying that product_name{} is a computed projection of products.json generated at file-creation time — not a separately maintained copy. Updated the schema description accordingly.

repos.json taxonomy (new file)

Added repos.json to formally define valid repo identifiers and bridge commit key namespaces to product slugs. The product field is the key value: it lets consumers resolve runtime@979135d → dotnet-runtime without hardcoding.

{
  "string": "runtime",
  "org": "dotnet",
  "display_name": ".NET Runtime",
  "product": "dotnet-runtime"
}

Covers runtime, aspnetcore, sdk, winforms, and wpf. Referenced in the dotnet-guidance.md taxonomy list with a new Repos section.