docs: add Reference Rule Libraries appendix mapping components to rule fields

[eeee2345]

Summary

AARM defines the spec, but the conformance story benefits from a reference rule library showing how a concrete rule pack instantiates each component. An integrator reading the System Components pages still has to decide which fields of a detection rule populate the Action Mediation Layer, which drive the PDP, and which end up signed into a receipt. This appendix makes that mapping explicit.

What this PR adds

• appendix/reference-rule-libraries.mdx: a new page under a new "Appendix" group in the Specification tab.
• Updated docs.json to register the group in navigation.

The page contains:

1. A short definition of what a reference rule library is and which AARM components consume it.
2. A mapping table from each component to the rule fields that populate it.
3. A worked example annotating one rule from the Agent Threat Rules (ATR) standard, tracing each field to the AARM component it activates.
4. An "Other Reference Libraries" placeholder so the appendix can grow as other libraries adopt the mapping.

ATR is used as the worked example because it is MIT-licensed, openly available, and already deployed at Microsoft and Cisco, so the mapping can be exercised against real rule data. The appendix is intentionally non-exclusive: the mapping is normative, the choice of library is not.

Notes

No changes to normative spec text or conformance requirements. Happy to revise framing, naming, or placement (Appendix vs. inside System Components) if the working group prefers.