feat: Implement distro-native version comparison for RPM, Debian, and Alpine packages

- Add RpmVersionComparer for RPM version comparison with epoch, version, and release handling.
- Introduce DebianVersion for parsing Debian EVR (Epoch:Version-Release) strings.
- Create ApkVersion for parsing Alpine APK version strings with suffix support.
- Define IVersionComparator interface for version comparison with proof-line generation.
- Implement VersionComparisonResult struct to encapsulate comparison results and proof lines.
- Add tests for Debian and RPM version comparers to ensure correct functionality and edge case handling.
- Create project files for the version comparison library and its tests.

src/Scanner/AGENTS.md

@@ -110,6 +110,53 @@ Compute vulnerability surfaces by diffing vulnerable vs fixed package versions:
 - Confidence tiers: Confirmed (trigger reachable) > Likely (API reachable) > Present (dep only)
 - Path witnesses include surface evidence for audit trail
 
+## Binary + Call-Stack Reachability (Sprint 3800 Series)
+
+Layered binary reachability with attestable slices for CVE triage:
+
+### Sprint Summary
+- **3800**: Binary call-edge enhancement (disassembly, PLT/IAT, dynamic loading)
+- **3810**: CVE→Symbol mapping and slice format
+- **3820**: Slice query and replay APIs
+- **3830**: VEX integration and policy binding
+- **3840**: Runtime trace merge (eBPF/ETW)
+- **3850**: OCI storage and CLI commands
+
+See: `docs/implplan/SPRINT_3800_SUMMARY.md`
+
+### Libraries
+- `StellaOps.Scanner.Reachability.Slices` - Slice extraction, DSSE signing, verdict computation
+- `StellaOps.Scanner.Advisory` - CVE→symbol mapping integration with Concelier
+- `StellaOps.Scanner.Runtime` - eBPF/ETW runtime trace collectors
+- `StellaOps.Scanner.Storage.Oci` - OCI artifact storage for slices
+
+### Key Types
+- `ReachabilitySlice` - Minimal attestable proof unit for CVE reachability
+- `SliceQuery` - Query parameters (CVE, symbols, entrypoints, policy)
+- `SliceVerdict` - Result status (reachable/unreachable/unknown/gated)
+- `VulnSurfaceResult` - CVE→symbol mapping result with confidence
+
+### Predicate Schema
+- URI: `stellaops.dev/predicates/reachability-slice@v1`
+- Schema: `docs/schemas/stellaops-slice.v1.schema.json`
+- DSSE-signed slices for audit trail
+
+### Slice API Endpoints
+- `POST /api/slices/query` - Query reachability for CVE/symbols
+- `GET /api/slices/{digest}` - Retrieve attested slice
+- `POST /api/slices/replay` - Verify slice reproducibility
+
+### CLI Commands (Sprint 3850)
+- `stella binary submit` - Submit binary graph
+- `stella binary info` - Display graph info
+- `stella binary symbols` - List symbols
+- `stella binary verify` - Verify attestation
+
+### Documentation
+- `docs/reachability/slice-schema.md` - Slice format specification
+- `docs/reachability/cve-symbol-mapping.md` - CVE→symbol service design
+- `docs/reachability/replay-verification.md` - Replay workflow guide
+
 ## Engineering Rules
 - Target `net10.0`; prefer latest C# preview allowed in repo.
 - Offline-first: no new external network calls; use cached feeds (`/local-nugets`).