feat: grant should have a `policy` command that aids users in constructing a baseline policy for their images or software

[spiffcs]

Some examples of this would be to generate a policy of exclusions from an image that is already known as compliant.

Example:

grant policy --exclude image:base:latest

^ This would generate a policy that has exceptions for the packages and their license associations in the base image.

When a user goes to use grant against a production image built with the above they will know they are only keying on licenses introduced during a build process. The grant policy would exclude licenses/packages from the base image