test(vex): cover apply() counter and effect branches

[Metbcy]

What

Adds a test module to src/vex/apply.rs (which had zero direct tests) exercising every increment site and effect branch in the VEX apply pipeline.

Why

Part of #35 (cargo-mutants audit on src/vex/**). The mutants run flagged 13 survivors clustered in apply.rs — including the "replace apply with ()" mutant, which means the entire function could be neutered and CI would stay green. That's a real regression risk: silent counter drift means wrong vex_suppressed_count in the summary, and a neutered apply() means --vex flags get ignored entirely.

What's covered

• Empty-index fast path is a no-op (no annotations, no count bump)
• Vulns branch: suppression drops the vuln, retain(!is_empty) removes empty purl keys, affected entries get annotated under cve:<purl>:<id>
• Typosquats: suppression vs under_investigation annotation paths
• Version jumps, maintainer age, license violations: each suppression path counted independently
• vex_suppressed_count uses +=, not =: pre-existing counts from prior passes are preserved

Mutants killed (expected)

Site	Mutants
replace apply with ()	1
6× suppressed += 1 (+= -> -=/*=, replace += with =)	~12
enrichment.vex_suppressed_count += suppressed line 139	3

Re-running cargo-mutants on src/vex/apply.rs after this merges should drop the missed count substantially. A follow-up PR will mop up the remaining survivors in mod.rs, synthetic_id.rs, and detect_format.

Test counts

• Before: 391 lib tests
• After: 399 lib tests (+8)

All green locally with RUSTFLAGS="-D warnings" cargo build --all-targets --all-features + cargo clippy --all-targets --all-features -- -D warnings + cargo fmt --check.

Refs #35.

[github-actions]

Coverage report

Line coverage: 85.2% (9642 / 11311 lines)

Full lcov report available as workflow artifact coverage-lcov: download from this run.

_{v0.9.8 introduces this report; --fail-under-lines will be added once coverage is visible across 2–3 releases.}