feat(scanner): Complete PoE implementation with Windows compatibility fix

- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs2/operations/airgap.md

@@ -0,0 +1,34 @@
+# Air-gap and offline kit
+
+## Offline Kit contents (typical)
+- Signed advisory and VEX feeds
+- Container images for core services
+- Analyzer plugins and manifests
+- Debug symbol store for deterministic diagnostics
+- Telemetry collector bundle
+- Task packs and operator docs
+- Signed manifests and checksums
+
+## Verify and import
+- Verify the kit tarball signature before import.
+- Verify the manifest signature and checksum list.
+- Import is atomic and retains the previous feed set until validation passes.
+
+## Delta updates
+- Daily deltas apply only changed artifacts.
+- Full kits are used as reset baselines when needed.
+- Deltas must reference a known baseline manifest digest.
+
+## Sealed mode and time anchors
+- Sealed mode forbids external egress by default.
+- Time anchors and staleness budgets keep offline verification deterministic.
+- Air-gap installs should pin trusted roots and time anchor bundles.
+
+## AOC and raw-data verification
+- Run AOC verify checks against advisory_raw and vex_raw collections.
+- Reject any raw data that violates provenance or append-only rules.
+
+## Offline verification
+- DSSE envelopes and cached transparency proofs enable local verification.
+- Reachability and replay bundles can be verified without network access.
+- Keep analyzer manifests and policy hashes with the replay bundle.