feat(scanner): Complete PoE implementation with Windows compatibility fix

- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs2/modules/index.md

@@ -0,0 +1,151 @@
+# Modules
+
+## Core services
+
+Authority
+- Purpose: issue OpTok tokens with DPoP or mTLS sender constraints.
+- Inputs: client credentials, device code, or auth code.
+- Outputs: JWT access tokens with tenant, audience, and scope claims.
+- Storage: PostgreSQL for client and tenant data, Valkey for DPoP nonce cache.
+
+Signer
+- Purpose: produce DSSE envelopes and enforce Proof of Entitlement (PoE).
+- Inputs: signing requests from trusted services and PoE proof.
+- Outputs: DSSE bundles for SBOMs, reports, and exports.
+- Storage: audit logs only; keys live in KMS or keyless providers.
+
+Attestor
+- Purpose: log DSSE bundles to Rekor and provide verification APIs.
+- Inputs: DSSE bundles from Signer or Scanner.
+- Outputs: Rekor entries and proofs, verification results.
+- Storage: PostgreSQL for receipts and indexes.
+
+Scanner (Web + Worker)
+- Purpose: deterministic SBOM generation, inventory and usage views, diffs.
+- Inputs: image digest or SBOM, analyzer manifests, policy snapshots.
+- Outputs: SBOMs, diffs, reachability graphs, evidence bundles.
+- Storage: RustFS for artifacts, PostgreSQL for metadata, Valkey for queues.
+
+Concelier
+- Purpose: ingest and normalize advisory sources under AOC.
+- Inputs: vendor and ecosystem advisory feeds.
+- Outputs: raw advisory facts, linksets, deterministic exports.
+- Storage: PostgreSQL (vuln schema).
+
+Excititor
+- Purpose: ingest VEX statements under AOC and preserve conflicts.
+- Inputs: OpenVEX, CSAF VEX, CycloneDX VEX.
+- Outputs: normalized VEX observations and consensus views.
+- Storage: PostgreSQL (vex schema).
+
+Policy Engine
+- Purpose: deterministic policy evaluation with explain traces and unknowns.
+- Inputs: SBOM inventory, advisory facts, VEX evidence, reachability.
+- Outputs: verdicts, effective findings, decision traces, derived VEX.
+- Storage: PostgreSQL (policy schema).
+
+Scheduler
+- Purpose: impact selection and analysis-only re-evaluation.
+- Inputs: advisory and VEX deltas, BOM index metadata.
+- Outputs: rescan jobs and delta events.
+- Storage: PostgreSQL (scheduler schema), Valkey for queues.
+
+Notify
+- Purpose: route events to channels with rules and templates.
+- Inputs: scan and scheduler events.
+- Outputs: deliveries to Slack, Teams, email, webhooks.
+- Storage: PostgreSQL (notify schema), Valkey for queues.
+
+Export Center
+- Purpose: deterministic export bundles and offline mirror layouts.
+- Inputs: raw facts, policy outputs, SBOMs and evidence bundles.
+- Outputs: JSON exports, Trivy DB exports, mirror bundles, offline kits.
+- Storage: RustFS and PostgreSQL.
+
+CLI
+- Purpose: automation and verification for scanning, export, and replay.
+- Inputs: user commands and offline bundles.
+- Outputs: API calls, local verification reports.
+
+UI and Console
+- Purpose: operator console for scans, policy, VEX, and notifications.
+- Inputs: API responses, SSE streams.
+- Outputs: operational workflows and audit views.
+
+Advisory AI
+- Purpose: evidence-grounded analysis with guardrails.
+- Inputs: SBOM and evidence bundles.
+- Outputs: structured findings and guidance artifacts.
+
+Orchestrator
+- Purpose: job DAGs and pack runs for automation.
+- Inputs: job definitions and run requests.
+- Outputs: run status, job artifacts.
+- Storage: PostgreSQL (orchestrator schema).
+
+Registry Token Service
+- Purpose: issue tokens for internal registry and scoped pulls.
+- Inputs: client credentials.
+- Outputs: short-lived registry tokens.
+
+Graph Explorer
+- Purpose: graph indexing and exploration for evidence and relationships.
+- Inputs: graph snapshots and overlays.
+- Outputs: graph queries and exports.
+
+VEX Lens
+- Purpose: reproducible consensus views over VEX statements.
+- Inputs: normalized VEX observations and trust weights.
+- Outputs: consensus status and evidence refs.
+
+Vulnerability Explorer
+- Purpose: triage workflows and evidence ledger views.
+- Inputs: effective findings and Decision Capsules.
+- Outputs: triage actions and audit records.
+
+Telemetry Stack
+- Purpose: metrics, logs, traces, and dashboards.
+- Inputs: service telemetry and audit events.
+- Outputs: dashboards and alerts.
+
+DevOps and Release
+- Purpose: release trains, signing, and distribution workflows.
+- Inputs: build artifacts and manifests.
+- Outputs: signed releases and offline kit bundles.
+
+Platform
+- Purpose: cross-cutting determinism, offline, and identity rules.
+
+CI Recipes
+- Purpose: deterministic CI templates and guardrails.
+
+Zastava
+- Purpose: runtime observer and optional admission enforcement.
+- Inputs: runtime facts and policy verdicts.
+- Outputs: runtime events and admission decisions.
+
+## Supporting and adjacent modules
+
+Issuer Directory
+- Trust registry for VEX issuers and keys.
+
+VexHub
+- Aggregation and distribution of VEX statements for downstream consumers.
+
+SBOM Service
+- Deterministic SBOM projections and lineage ledger.
+
+Signals
+- Reachability scoring, unknowns registry, and signal APIs.
+
+TaskRunner
+- Deterministic task pack execution with approvals and evidence capture.
+
+BinaryIndex
+- Binary identity mapping for patch-aware and backport-aware matching.
+
+Benchmark
+- Benchmark harness and ground-truth corpus management.
+
+Gateway and Router (optional)
+- Edge routing and transport abstraction for deployments that require a shared ingress.