feat: Add in-memory implementations for issuer audit, key, repository, and trust management

- Introduced InMemoryIssuerAuditSink to retain audit entries for testing.
- Implemented InMemoryIssuerKeyRepository for deterministic key storage.
- Created InMemoryIssuerRepository to manage issuer records in memory.
- Added InMemoryIssuerTrustRepository for managing issuer trust overrides.
- Each repository utilizes concurrent collections for thread-safe operations.
- Enhanced deprecation tracking with a comprehensive YAML schema for API governance.

src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/ReachabilityUnionWriterTests.cs

@@ -38,4 +38,132 @@ public class ReachabilityUnionWriterTests
         var nodeLines = await File.ReadAllLinesAsync(Path.Combine(temp.Path, "reachability_graphs/analysis-x/nodes.ndjson"));
         Assert.Contains(nodeLines, l => l.Contains("sym:dotnet:A"));
     }
+
+    [Fact]
+    public async Task WritesNodePurlAndSymbolDigest()
+    {
+        var writer = new ReachabilityUnionWriter();
+        using var temp = new TempDir();
+
+        var graph = new ReachabilityUnionGraph(
+            Nodes: new[]
+            {
+                new ReachabilityUnionNode(
+                    "sym:dotnet:A",
+                    "dotnet",
+                    "method",
+                    "TestMethod",
+                    null,
+                    null,
+                    Purl: "pkg:nuget/TestPackage@1.0.0",
+                    SymbolDigest: "sha256:abc123")
+            },
+            Edges: Array.Empty<ReachabilityUnionEdge>());
+
+        var result = await writer.WriteAsync(graph, temp.Path, "analysis-purl");
+
+        var nodeLines = await File.ReadAllLinesAsync(result.Nodes.Path);
+        Assert.Single(nodeLines);
+        Assert.Contains("\"purl\":\"pkg:nuget/TestPackage@1.0.0\"", nodeLines[0]);
+        Assert.Contains("\"symbol_digest\":\"sha256:abc123\"", nodeLines[0]);
+    }
+
+    [Fact]
+    public async Task WritesEdgePurlAndSymbolDigest()
+    {
+        var writer = new ReachabilityUnionWriter();
+        using var temp = new TempDir();
+
+        var graph = new ReachabilityUnionGraph(
+            Nodes: new[]
+            {
+                new ReachabilityUnionNode("sym:dotnet:A", "dotnet", "method"),
+                new ReachabilityUnionNode("sym:dotnet:B", "dotnet", "method")
+            },
+            Edges: new[]
+            {
+                new ReachabilityUnionEdge(
+                    "sym:dotnet:A",
+                    "sym:dotnet:B",
+                    "call",
+                    "high",
+                    null,
+                    Purl: "pkg:nuget/TargetPackage@2.0.0",
+                    SymbolDigest: "sha256:def456")
+            });
+
+        var result = await writer.WriteAsync(graph, temp.Path, "analysis-edge-purl");
+
+        var edgeLines = await File.ReadAllLinesAsync(result.Edges.Path);
+        Assert.Single(edgeLines);
+        Assert.Contains("\"purl\":\"pkg:nuget/TargetPackage@2.0.0\"", edgeLines[0]);
+        Assert.Contains("\"symbol_digest\":\"sha256:def456\"", edgeLines[0]);
+    }
+
+    [Fact]
+    public async Task WritesEdgeCandidates()
+    {
+        var writer = new ReachabilityUnionWriter();
+        using var temp = new TempDir();
+
+        var graph = new ReachabilityUnionGraph(
+            Nodes: new[]
+            {
+                new ReachabilityUnionNode("sym:binary:main", "binary", "function"),
+                new ReachabilityUnionNode("sym:binary:openssl_connect", "binary", "function")
+            },
+            Edges: new[]
+            {
+                new ReachabilityUnionEdge(
+                    "sym:binary:main",
+                    "sym:binary:openssl_connect",
+                    "call",
+                    "medium",
+                    null,
+                    Purl: null,
+                    SymbolDigest: null,
+                    Candidates: new List<ReachabilityEdgeCandidate>
+                    {
+                        new("pkg:deb/ubuntu/openssl@3.0.2", "sha256:abc", 0.8),
+                        new("pkg:deb/debian/openssl@3.0.2", "sha256:def", 0.6)
+                    })
+            });
+
+        var result = await writer.WriteAsync(graph, temp.Path, "analysis-candidates");
+
+        var edgeLines = await File.ReadAllLinesAsync(result.Edges.Path);
+        Assert.Single(edgeLines);
+        Assert.Contains("\"candidates\":", edgeLines[0]);
+        Assert.Contains("pkg:deb/ubuntu/openssl@3.0.2", edgeLines[0]);
+        Assert.Contains("pkg:deb/debian/openssl@3.0.2", edgeLines[0]);
+        Assert.Contains("\"score\":0.8", edgeLines[0]);
+    }
+
+    [Fact]
+    public async Task OmitsPurlAndSymbolDigestWhenNull()
+    {
+        var writer = new ReachabilityUnionWriter();
+        using var temp = new TempDir();
+
+        var graph = new ReachabilityUnionGraph(
+            Nodes: new[]
+            {
+                new ReachabilityUnionNode("sym:dotnet:A", "dotnet", "method")
+            },
+            Edges: new[]
+            {
+                new ReachabilityUnionEdge("sym:dotnet:A", "sym:dotnet:A", "call")
+            });
+
+        var result = await writer.WriteAsync(graph, temp.Path, "analysis-null-purl");
+
+        var nodeLines = await File.ReadAllLinesAsync(result.Nodes.Path);
+        Assert.DoesNotContain("purl", nodeLines[0]);
+        Assert.DoesNotContain("symbol_digest", nodeLines[0]);
+
+        var edgeLines = await File.ReadAllLinesAsync(result.Edges.Path);
+        Assert.DoesNotContain("purl", edgeLines[0]);
+        Assert.DoesNotContain("symbol_digest", edgeLines[0]);
+        Assert.DoesNotContain("candidates", edgeLines[0]);
+    }
 }

src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/RichGraphPublisherTests.cs

@@ -1,4 +1,5 @@
 using System.Threading.Tasks;
+using StellaOps.Cryptography;
 using StellaOps.Scanner.Reachability;
 using Xunit;
 
@@ -9,7 +10,7 @@ public class RichGraphPublisherTests
     [Fact]
     public async Task PublishesGraphToCas()
     {
-        var writer = new RichGraphWriter();
+        var writer = new RichGraphWriter(CryptoHashFactory.CreateDefault());
         var publisher = new ReachabilityRichGraphPublisher(writer);
         var cas = new FakeFileContentAddressableStore();
 
@@ -21,7 +22,8 @@ public class RichGraphPublisherTests
         var rich = RichGraphBuilder.FromUnion(union, "test", "1.0.0");
         var result = await publisher.PublishAsync(rich, "scan-1", cas, temp.Path);
 
-        Assert.StartsWith("sha256:", result.GraphHash);
+        Assert.Contains(":", result.GraphHash); // hash format: algorithm:digest
+        Assert.StartsWith("cas://reachability/graphs/", result.CasUri);
         Assert.Equal(1, result.NodeCount);
     }
 }

src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/RichGraphWriterTests.cs

@@ -1,5 +1,6 @@
 using System.IO;
 using System.Threading.Tasks;
+using StellaOps.Cryptography;
 using StellaOps.Scanner.Reachability;
 using Xunit;
 
@@ -10,7 +11,7 @@ public class RichGraphWriterTests
     [Fact]
     public async Task WritesCanonicalGraphAndMeta()
     {
-        var writer = new RichGraphWriter();
+        var writer = new RichGraphWriter(CryptoHashFactory.CreateDefault());
         using var temp = new TempDir();
 
         var union = new ReachabilityUnionGraph(
@@ -31,7 +32,7 @@ public class RichGraphWriterTests
         Assert.True(File.Exists(result.MetaPath));
         var json = await File.ReadAllTextAsync(result.GraphPath);
         Assert.Contains("richgraph-v1", json);
-        Assert.StartsWith("sha256:", result.GraphHash);
+        Assert.Contains(":", result.GraphHash); // hash format: algorithm:digest
         Assert.Equal(2, result.NodeCount);
         Assert.Equal(1, result.EdgeCount);
     }