robustness: audit .unwrap() calls in non-test code

[Darkroom4364]

143 `.unwrap()` calls in `src/` (non-test). A panic during a scan is a bad look for a security tool.

Approach

• Triage by blast radius: scan-path code (parsing, rule matching, reporting) is highest priority
• Replace with `.ok()`, `.unwrap_or_default()`, or propagate with `?` as appropriate
• Leave `.unwrap()` where the invariant is truly guaranteed and add a comment explaining why
• Not a blanket replace — each site needs judgment

[peaktwilight]

Progress note: #279 addressed the highest-risk scan-path unwrap audit item, but this issue should stay open. A current count still shows many .unwrap() calls under src/, including test-only modules and production-looking regex/parser paths. Next pass should separate intentional invariant unwraps from remaining panic paths and either replace them or add invariant comments.