Bundle 7 issue fixes: hashable Finding, distinct ADM ids, unified PWD-002 guidance, SigAge warning, partial-write logging, tz-aware scan_time, IP filter

[TiltedLunar123]

Summary

Closes seven open GitHub issues with small, isolated fixes. Each commit is its own logical unit so individual fixes can be reverted in isolation if needed.

Fixes

• Missing __hash__ method on Finding class after defining __eq__ #13 Finding is now hashable via __hash__ matching __eq__, so equal findings can be deduplicated through set() or used as dict keys.
• Duplicate check_id ADM-001 used for both success and failure findings #4 Distinct check_ids: ADM-001 for the enumeration-failure path, ADM-002 for the success-case member-count finding in check_local_admins.
• Password policy title says >= 12 but description says CIS recommends 14 #5 PWD-002 title and description now both reference 14 characters (CIS recommendation). Borderline lengths 12-13 are now flagged WARNING instead of passing.
• [High] Silent failure when antivirus signature age is unparseable #19 check_antivirus now emits an AV-003 WARNING finding when Get-MpComputerStatus returns a non-numeric SigAge, instead of silently dropping the result.
• [Low] "Reports saved" logged even when HTML report write fails #22 Each report write in winrecon.cli is wrapped in its own try/except. Success message only appears when every requested report lands; partial and total failures get their own log lines. Logic was extracted into write_reports() for direct unit testing.
• Scan timestamp uses local time without timezone information #16 system_info.scan_time is now produced by datetime.now(timezone.utc).isoformat(timespec="seconds"), matching the JSON schema's format: date-time declaration.
• IPv6 link-local and APIPA addresses not filtered in collect_system_info #12 _is_uninteresting_ip now also filters IPv6 link-local (fe80:) and IPv4 APIPA (169.254.) addresses out of system_info.ip_addresses.

Test plan

• python -m pytest -q passes (143 tests, up from 122)
• python -m ruff check . clean
• 21 new tests cover the new behavior:
  • TestFindingHash (3): hashability, hash-equality, set-deduplication
  • TestAdminCheckIds (2): success path uses ADM-002, failure path keeps ADM-001
  • TestPasswordPolicyMessaging (3): short/borderline/compliant length cases
  • TestAntivirusSigAge (3): unparseable, empty, current values
  • TestPartialReportFailureLogging (4): partial failure, full success, total failure, json-only
  • TestSystemInfoScanTime (1): RFC 3339 with UTC offset
  • TestUninterestingIpFilter (5): loopback v4/v6, APIPA, link-local v6, real addresses
• Manual run on a Windows host to confirm reports still emit correctly (left for reviewer; protected repo)

Notes

• No major dependency bumps.
• No public API changes beyond ADM-001 -> ADM-002 for the success-case finding (consumers parsing JSON by check_id should update if they rely on the old behavior; this was a bug per Duplicate check_id ADM-001 used for both success and failure findings #4).
• winrecon.cli.write_reports is now a public-ish helper. It is not exported through __init__.py.