feat(scanner): Complete PoE implementation with Windows compatibility fix

- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs2/architecture/reachability-vex.md

@@ -0,0 +1,25 @@
+# Reachability and VEX
+
+## Reachability evidence
+- Static call graphs are produced by Scanner analyzers.
+- Runtime traces are collected by Zastava when enabled.
+- Union bundles combine static and runtime evidence for scoring and replay.
+
+## Hybrid reachability attestations
+- Graph-level DSSE is required for every reachability graph.
+- Optional edge-bundle DSSE captures contested or runtime edges.
+- Rekor publishing can be tiered; offline kits cache proofs when available.
+
+## Reachability scoring (Signals)
+- Bucket model: entrypoint, direct, runtime, unknown, unreachable.
+- Default weights: entrypoint 1.0, direct 0.85, runtime 0.45, unknown 0.5, unreachable 0.0.
+- Unknowns pressure reduces the final score to avoid false safety.
+
+## VEX consensus
+- Excititor ingests and normalizes VEX statements (OpenVEX, CSAF VEX).
+- Policy Engine merges evidence using lattice logic with explicit Unknown handling.
+- Decisions include evidence refs and can be exported as downstream VEX.
+
+## Unknowns registry
+- Unknowns are first-class objects with scoring, SLA bands, and evidence links.
+- Unknowns are stored with deterministic ordering and exported for offline review.