test(scoring): fix stale empty-tags reachability expectations (main is red)

[Amr-Saad]

Two assertions in tests/test_scoring.py still encode the old reachability default (requires_auth, ×0.5) for findings with no reachability tags, so main is currently red on them.

src/sec_af/scoring.py was intentionally changed so an empty tag set defaults to externally_reachable (×1.0) — documented inline in _reachability_multiplier:

The previous default of requires_auth (0.5) severely penalised every finding when reachability assessment is not wired into the DAG path — causing critical CWEs to score 2.5/10.

The file’s other tests already use explicit reachability tags consistent with the new model; only these two lagged.

Changes (tests only)

Test	was	now	math
…defaults_reachability_when_missing	1.05	2.1	LOW 3.0 × SANITIZATION_BYPASSABLE 0.7 × externally_reachable 1.0
…multipliers_and_default_behavior[set()]	2.5	5.0	MEDIUM 5.0 × FULL_EXPLOIT 1.0 × externally_reachable 1.0

Added inline comments so the empty-vs-non-empty default ({custom_tag} still falls back to requires_auth ×0.5) is explicit.

Verification

• Full suite: 105 passed (was 2 failed), via pip install -e .[dev] + pytest.
• ruff check tests/test_scoring.py: clean.
• No production code touched.

🤖 Generated with Claude Code

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}