feat(scanner): Complete PoE implementation with Windows compatibility fix

- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

src/Concelier/__Libraries/StellaOps.Concelier.ProofService.Postgres/TestData/SeedProofEvidence.sql

@@ -0,0 +1,223 @@
+-- Seed Script: Test Data for Proof Evidence
+-- Purpose: Provide sample data for testing four-tier backport detection
+
+-- =============================================
+-- Tier 1: Distro Advisories
+-- =============================================
+
+-- CVE-2024-1234 in curl (Debian fixed)
+INSERT INTO vuln.distro_advisories (advisory_id, distro_name, cve_id, package_purl, fixed_version, published_at, status, payload)
+VALUES (
+    'DSA-5001',
+    'debian',
+    'CVE-2024-1234',
+    'pkg:deb/debian/curl@7.64.0-4',
+    '7.64.0-4+deb10u3',
+    '2024-03-15 10:30:00+00'::timestamptz,
+    'fixed',
+    '{"description": "Security fix for buffer overflow", "severity": "high", "references": ["https://security.debian.org/DSA-5001"]}'::jsonb
+);
+
+-- CVE-2024-5678 in openssl (RHSA)
+INSERT INTO vuln.distro_advisories (advisory_id, distro_name, cve_id, package_purl, fixed_version, published_at, status, payload)
+VALUES (
+    'RHSA-2024:1234',
+    'rhel',
+    'CVE-2024-5678',
+    'pkg:rpm/redhat/openssl@1.1.1k-7.el8',
+    '1.1.1k-8.el8',
+    '2024-04-20 14:00:00+00'::timestamptz,
+    'fixed',
+    '{"description": "OpenSSL security update", "severity": "critical", "references": ["https://access.redhat.com/errata/RHSA-2024:1234"]}'::jsonb
+);
+
+-- CVE-2024-9999 in nginx (Ubuntu)
+INSERT INTO vuln.distro_advisories (advisory_id, distro_name, cve_id, package_purl, fixed_version, published_at, status, payload)
+VALUES (
+    'USN-6789-1',
+    'ubuntu',
+    'CVE-2024-9999',
+    'pkg:deb/ubuntu/nginx@1.18.0-0ubuntu1.4',
+    '1.18.0-0ubuntu1.5',
+    '2024-05-10 09:15:00+00'::timestamptz,
+    'fixed',
+    '{"description": "Nginx HTTP/2 implementation flaw", "severity": "medium", "references": ["https://ubuntu.com/security/notices/USN-6789-1"]}'::jsonb
+);
+
+-- =============================================
+-- Tier 2: Changelog Evidence
+-- =============================================
+
+-- CVE-2024-1234 mentioned in curl changelog
+INSERT INTO vuln.changelog_evidence (changelog_id, package_purl, format, version, date, cve_ids, payload)
+VALUES (
+    'changelog:deb:curl:7.64.0-4+deb10u3',
+    'pkg:deb/debian/curl@7.64.0-4',
+    'debian',
+    '7.64.0-4+deb10u3',
+    '2024-03-15 08:00:00+00'::timestamptz,
+    ARRAY['CVE-2024-1234'],
+    '{"entry": "curl (7.64.0-4+deb10u3) buster-security; urgency=high\n  * Fix CVE-2024-1234: Buffer overflow in libcurl\n -- Debian Security Team <team@security.debian.org>  Fri, 15 Mar 2024 08:00:00 +0000"}'::jsonb
+);
+
+-- CVE-2024-5678 mentioned in openssl changelog
+INSERT INTO vuln.changelog_evidence (changelog_id, package_purl, format, version, date, cve_ids, payload)
+VALUES (
+    'changelog:rpm:openssl:1.1.1k-8.el8',
+    'pkg:rpm/redhat/openssl@1.1.1k-7.el8',
+    'rpm',
+    '1.1.1k-8.el8',
+    '2024-04-20 12:00:00+00'::timestamptz,
+    ARRAY['CVE-2024-5678'],
+    '{"entry": "* Fri Apr 20 2024 Red Hat Security <security@redhat.com> - 1.1.1k-8.el8\n- Fix CVE-2024-5678: TLS handshake vulnerability"}'::jsonb
+);
+
+-- =============================================
+-- Tier 3: Patch Evidence (Headers)
+-- =============================================
+
+-- CVE-2024-1234 patch from curl upstream
+INSERT INTO vuln.patch_evidence (patch_id, patch_file_path, origin, cve_ids, parsed_at, payload)
+VALUES (
+    'patch:git:curl:abc123def456',
+    'debian/patches/CVE-2024-1234.patch',
+    'git',
+    ARRAY['CVE-2024-1234'],
+    '2024-03-10 16:30:00+00'::timestamptz,
+    '{"commit": "abc123def456", "author": "Daniel Stenberg <daniel@haxx.se>", "date": "2024-03-10", "message": "lib: fix buffer overflow in url parsing (CVE-2024-1234)\n\nThe URL parser did not properly handle overlong percent-encoded sequences..."}'::jsonb
+);
+
+-- CVE-2024-9999 patch from nginx upstream
+INSERT INTO vuln.patch_evidence (patch_id, patch_file_path, origin, cve_ids, parsed_at, payload)
+VALUES (
+    'patch:git:nginx:fed789cba012',
+    'debian/patches/CVE-2024-9999.patch',
+    'git',
+    ARRAY['CVE-2024-9999'],
+    '2024-05-05 11:20:00+00'::timestamptz,
+    '{"commit": "fed789cba012", "author": "Maxim Dounin <mdounin@mdounin.ru>", "date": "2024-05-05", "message": "HTTP/2: fixed handling of empty CONTINUATION frames (CVE-2024-9999)"}'::jsonb
+);
+
+-- =============================================
+-- Tier 3: Patch Signatures (HunkSig)
+-- =============================================
+
+-- HunkSig match for CVE-2024-1234
+INSERT INTO vuln.patch_signatures (signature_id, cve_id, commit_sha, upstream_repo, hunk_hash, extracted_at, payload)
+VALUES (
+    'hunksig:curl:abc123def456:1',
+    'CVE-2024-1234',
+    'abc123def456',
+    'https://github.com/curl/curl',
+    'sha256:1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890',
+    '2024-03-11 10:00:00+00'::timestamptz,
+    '{"hunk": "@@ -856,7 +856,11 @@ parse_url(...)\n   /* allocate buffer */\n-  buf = malloc(len);\n+  if(len > MAX_URL_LEN)\n+    return CURLE_URL_MALFORMAT;\n+  buf = malloc(len);", "normalized": true}'::jsonb
+);
+
+-- =============================================
+-- Tier 4: Binary Fingerprints
+-- =============================================
+
+-- TLSH fingerprint for CVE-2024-1234 (curl libcurl.so.4)
+INSERT INTO feedser.binary_fingerprints (
+    fingerprint_id, cve_id, method, fingerprint_value,
+    target_binary, target_function,
+    architecture, format, compiler, optimization_level,
+    has_debug_symbols, file_offset, region_size,
+    extracted_at, extractor_version
+)
+VALUES (
+    'fingerprint:tlsh:curl:libcurl.so.4:parse_url',
+    'CVE-2024-1234',
+    'tlsh',
+    'T12A4F1B8E9C3D5A7F2E1B4C8D9A6E3F5B7C2A4D9E6F1A8B3C5E7D2F4A9B6C1E8',
+    'libcurl.so.4',
+    'parse_url',
+    'x86_64',
+    'ELF',
+    'gcc 9.4.0',
+    '-O2',
+    false,
+    45632,
+    2048,
+    '2024-03-16 14:00:00+00'::timestamptz,
+    '1.0.0'
+);
+
+-- Instruction hash for CVE-2024-5678 (openssl libssl.so.1.1)
+INSERT INTO feedser.binary_fingerprints (
+    fingerprint_id, cve_id, method, fingerprint_value,
+    target_binary, target_function,
+    architecture, format, compiler, optimization_level,
+    has_debug_symbols, file_offset, region_size,
+    extracted_at, extractor_version
+)
+VALUES (
+    'fingerprint:instruction_hash:openssl:libssl.so.1.1:ssl_handshake',
+    'CVE-2024-5678',
+    'instruction_hash',
+    'sha256:9f8e7d6c5b4a3210fedcba9876543210fedcba9876543210fedcba9876543210',
+    'libssl.so.1.1',
+    'ssl_handshake',
+    'x86_64',
+    'ELF',
+    'gcc 8.5.0',
+    '-O2 -fstack-protector-strong',
+    false,
+    98304,
+    4096,
+    '2024-04-21 16:30:00+00'::timestamptz,
+    '1.0.0'
+);
+
+-- =============================================
+-- Proof Blobs (Audit Log)
+-- =============================================
+
+-- Multi-tier proof for CVE-2024-1234 (Tier 1 + Tier 3 + Tier 4)
+INSERT INTO attestor.proof_blobs (
+    proof_id, proof_hash, cve_id, package_purl,
+    confidence, method, snapshot_id, evidence_count, generated_at, payload
+)
+VALUES (
+    'proof:CVE-2024-1234:pkg:deb/debian/curl@7.64.0-4:20240316T140000Z',
+    'blake3:a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890',
+    'CVE-2024-1234',
+    'pkg:deb/debian/curl@7.64.0-4',
+    0.93,  -- Tier 1 (0.98) + Tier 3 (0.85) + Tier 4 (0.75) = max(0.98) + 0.08 bonus = 1.06 → capped at 0.98, but adjusted for demo
+    'multi_tier',
+    'snapshot:20240316T140000Z',
+    3,
+    '2024-03-16 14:00:00+00'::timestamptz,
+    '{"proof_id": "proof:CVE-2024-1234:pkg:deb/debian/curl@7.64.0-4:20240316T140000Z", "cve_id": "CVE-2024-1234", "package_purl": "pkg:deb/debian/curl@7.64.0-4", "confidence": 0.93, "method": "multi_tier", "snapshot_id": "snapshot:20240316T140000Z", "evidences": [{"evidence_id": "evidence:distro:debian:DSA-5001", "type": "DistroAdvisory", "source": "debian"}, {"evidence_id": "evidence:patch_header:debian/patches/CVE-2024-1234.patch", "type": "PatchHeader", "source": "git"}, {"evidence_id": "evidence:binary:tlsh:fingerprint:tlsh:curl:libcurl.so.4:parse_url", "type": "BinaryFingerprint", "source": "tlsh"}]}'::jsonb
+);
+
+-- Single-tier proof for CVE-2024-5678 (Tier 1 only)
+INSERT INTO attestor.proof_blobs (
+    proof_id, proof_hash, cve_id, package_purl,
+    confidence, method, snapshot_id, evidence_count, generated_at, payload
+)
+VALUES (
+    'proof:CVE-2024-5678:pkg:rpm/redhat/openssl@1.1.1k-7.el8:20240421T170000Z',
+    'blake3:b2c3d4e5f6789012345678901234567890123456789012345678901234567890ab',
+    'CVE-2024-5678',
+    'pkg:rpm/redhat/openssl@1.1.1k-7.el8',
+    0.98,  -- Tier 1 only
+    'tier_1',
+    'snapshot:20240421T170000Z',
+    1,
+    '2024-04-21 17:00:00+00'::timestamptz,
+    '{"proof_id": "proof:CVE-2024-5678:pkg:rpm/redhat/openssl@1.1.1k-7.el8:20240421T170000Z", "cve_id": "CVE-2024-5678", "package_purl": "pkg:rpm/redhat/openssl@1.1.1k-7.el8", "confidence": 0.98, "method": "tier_1", "snapshot_id": "snapshot:20240421T170000Z", "evidences": [{"evidence_id": "evidence:distro:rhel:RHSA-2024:1234", "type": "DistroAdvisory", "source": "rhel"}]}'::jsonb
+);
+
+-- =============================================
+-- SEED DATA COMPLETE
+-- =============================================
+-- Summary:
+--   - 3 distro advisories (Tier 1)
+--   - 2 changelog entries (Tier 2)
+--   - 2 patch headers (Tier 3)
+--   - 1 patch signature (Tier 3)
+--   - 2 binary fingerprints (Tier 4)
+--   - 2 proof blobs (audit log)
+-- Total: 12 evidence records covering 3 CVEs