Add integration e2e coverage: GitHubApp, advisory pipeline, Rekor, eBPF hardening

- GitHubApp: 11 new tests (health, CRUD lifecycle, update, delete, UI SCM tab)
- Advisory pipeline: 16 tests (fixture data verification, source management smoke,
  initial/incremental sync, cross-source merge, canonical query API, UI catalog)
  with KEV/GHSA/EPSS fixture data files for deterministic testing
- Rekor transparency: 7 tests (container health, submit/get/verify round-trip,
  log consistency, attestation API) gated behind E2E_REKOR=1
- eBPF agent: 3 edge case tests (unreachable endpoint, coexistence, degraded health)
  plus mock limitation documentation in test header
- Fix UI search race: wait for table rows before counting rowsBefore
- Advisory fixture now serves real data (KEV JSON, GHSA list, EPSS CSV)
- Runtime host fixture adds degraded health endpoint

Suite: 143 passed, 0 failed, 32 skipped in 13.5min (up from 123 tests)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

devops/compose/fixtures/integration-fixtures/advisory/data/epss-scores.csv

@@ -0,0 +1,12 @@
+#model_version:v2026.03.01,score_date:2026-03-30
+cve,epss,percentile
+CVE-2024-0001,0.92,0.99
+CVE-2024-0002,0.78,0.96
+CVE-2024-0003,0.45,0.88
+CVE-2024-0004,0.33,0.82
+CVE-2024-0005,0.12,0.65
+CVE-2024-0010,0.67,0.94
+CVE-2024-0011,0.08,0.52
+CVE-2024-1000,0.02,0.30
+CVE-2024-1001,0.01,0.15
+CVE-2024-1002,0.005,0.08

devops/compose/fixtures/integration-fixtures/advisory/data/ghsa-list.json

@@ -0,0 +1,124 @@
+[
+  {
+    "ghsa_id": "GHSA-e2e1-test-0001",
+    "cve_id": "CVE-2024-0001",
+    "url": "https://github.com/advisories/GHSA-e2e1-test-0001",
+    "html_url": "https://github.com/advisories/GHSA-e2e1-test-0001",
+    "summary": "Apache HTTP Server Path Traversal allows RCE",
+    "description": "A path traversal vulnerability in Apache HTTP Server 2.4.49 through 2.4.50 allows attackers to map URLs to files outside the configured document root via crafted path components.",
+    "severity": "critical",
+    "identifiers": [
+      { "type": "GHSA", "value": "GHSA-e2e1-test-0001" },
+      { "type": "CVE", "value": "CVE-2024-0001" }
+    ],
+    "aliases": ["CVE-2024-0001"],
+    "published_at": "2026-01-10T00:00:00Z",
+    "updated_at": "2026-03-15T12:00:00Z",
+    "withdrawn_at": null,
+    "vulnerabilities": [
+      {
+        "package": {
+          "ecosystem": "Maven",
+          "name": "org.apache.httpd:httpd"
+        },
+        "vulnerable_version_range": ">= 2.4.49, <= 2.4.50",
+        "patched_versions": "2.4.51",
+        "vulnerable_functions": []
+      }
+    ],
+    "cvss": {
+      "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+      "score": 9.8
+    },
+    "cwes": [
+      { "cwe_id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory" }
+    ],
+    "credits": [
+      { "login": "security-researcher-1", "type": "reporter" }
+    ],
+    "references": [
+      { "url": "https://httpd.apache.org/security/vulnerabilities_24.html" },
+      { "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0001" }
+    ]
+  },
+  {
+    "ghsa_id": "GHSA-e2e1-test-0002",
+    "cve_id": "CVE-2024-0010",
+    "url": "https://github.com/advisories/GHSA-e2e1-test-0002",
+    "html_url": "https://github.com/advisories/GHSA-e2e1-test-0002",
+    "summary": "lodash prototype pollution via merge functions",
+    "description": "Versions of lodash prior to 4.17.21 are vulnerable to prototype pollution via the merge, mergeWith, and defaultsDeep functions.",
+    "severity": "high",
+    "identifiers": [
+      { "type": "GHSA", "value": "GHSA-e2e1-test-0002" },
+      { "type": "CVE", "value": "CVE-2024-0010" }
+    ],
+    "aliases": ["CVE-2024-0010"],
+    "published_at": "2026-02-01T00:00:00Z",
+    "updated_at": "2026-03-20T08:00:00Z",
+    "withdrawn_at": null,
+    "vulnerabilities": [
+      {
+        "package": {
+          "ecosystem": "npm",
+          "name": "lodash"
+        },
+        "vulnerable_version_range": "< 4.17.21",
+        "patched_versions": "4.17.21",
+        "vulnerable_functions": ["merge", "mergeWith", "defaultsDeep"]
+      }
+    ],
+    "cvss": {
+      "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
+      "score": 7.4
+    },
+    "cwes": [
+      { "cwe_id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes" }
+    ],
+    "credits": [],
+    "references": [
+      { "url": "https://github.com/lodash/lodash/issues/4744" }
+    ]
+  },
+  {
+    "ghsa_id": "GHSA-e2e1-test-0003",
+    "cve_id": "CVE-2024-0011",
+    "url": "https://github.com/advisories/GHSA-e2e1-test-0003",
+    "html_url": "https://github.com/advisories/GHSA-e2e1-test-0003",
+    "summary": "Express.js open redirect vulnerability",
+    "description": "Express.js versions before 4.19.0 are vulnerable to open redirect when untrusted user input is passed to the res.redirect() function.",
+    "severity": "medium",
+    "identifiers": [
+      { "type": "GHSA", "value": "GHSA-e2e1-test-0003" },
+      { "type": "CVE", "value": "CVE-2024-0011" }
+    ],
+    "aliases": ["CVE-2024-0011"],
+    "published_at": "2026-03-01T00:00:00Z",
+    "updated_at": "2026-03-25T16:00:00Z",
+    "withdrawn_at": null,
+    "vulnerabilities": [
+      {
+        "package": {
+          "ecosystem": "npm",
+          "name": "express"
+        },
+        "vulnerable_version_range": "< 4.19.0",
+        "patched_versions": "4.19.0",
+        "vulnerable_functions": ["redirect"]
+      }
+    ],
+    "cvss": {
+      "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+      "score": 6.1
+    },
+    "cwes": [
+      { "cwe_id": "CWE-601", "name": "URL Redirection to Untrusted Site" }
+    ],
+    "credits": [
+      { "login": "security-researcher-2", "type": "reporter" }
+    ],
+    "references": [
+      { "url": "https://expressjs.com/en/advanced/security-updates.html" }
+    ]
+  }
+]

devops/compose/fixtures/integration-fixtures/advisory/data/kev-catalog.json

@@ -0,0 +1,73 @@
+{
+  "title": "CISA Known Exploited Vulnerabilities Catalog",
+  "catalogVersion": "2026.04.01",
+  "dateReleased": "2026-04-01T00:00:00.000Z",
+  "count": 5,
+  "vulnerabilities": [
+    {
+      "cveID": "CVE-2024-0001",
+      "vendorProject": "Apache",
+      "product": "HTTP Server",
+      "vulnerabilityName": "Apache HTTP Server Path Traversal",
+      "dateAdded": "2026-01-15",
+      "shortDescription": "Apache HTTP Server contains a path traversal vulnerability that allows remote code execution.",
+      "requiredAction": "Apply updates per vendor instructions.",
+      "dueDate": "2026-02-15",
+      "knownRansomwareCampaignUse": "Unknown",
+      "notes": "https://httpd.apache.org/security/",
+      "cwes": ["CWE-22"]
+    },
+    {
+      "cveID": "CVE-2024-0002",
+      "vendorProject": "Microsoft",
+      "product": "Windows",
+      "vulnerabilityName": "Windows Kernel Privilege Escalation",
+      "dateAdded": "2026-01-20",
+      "shortDescription": "Microsoft Windows kernel contains a privilege escalation vulnerability.",
+      "requiredAction": "Apply updates per vendor instructions.",
+      "dueDate": "2026-02-20",
+      "knownRansomwareCampaignUse": "Known",
+      "notes": "https://msrc.microsoft.com/",
+      "cwes": ["CWE-269"]
+    },
+    {
+      "cveID": "CVE-2024-0003",
+      "vendorProject": "Google",
+      "product": "Chrome",
+      "vulnerabilityName": "Chrome V8 Type Confusion",
+      "dateAdded": "2026-02-01",
+      "shortDescription": "Google Chrome V8 engine contains a type confusion vulnerability allowing sandbox escape.",
+      "requiredAction": "Apply updates per vendor instructions.",
+      "dueDate": "2026-03-01",
+      "knownRansomwareCampaignUse": "Unknown",
+      "notes": "https://chromereleases.googleblog.com/",
+      "cwes": ["CWE-843"]
+    },
+    {
+      "cveID": "CVE-2024-0004",
+      "vendorProject": "OpenSSL",
+      "product": "OpenSSL",
+      "vulnerabilityName": "OpenSSL Buffer Overflow",
+      "dateAdded": "2026-02-10",
+      "shortDescription": "OpenSSL contains a buffer overflow vulnerability in X.509 certificate verification.",
+      "requiredAction": "Apply updates per vendor instructions.",
+      "dueDate": "2026-03-10",
+      "knownRansomwareCampaignUse": "Unknown",
+      "notes": "https://www.openssl.org/news/secadv/",
+      "cwes": ["CWE-120"]
+    },
+    {
+      "cveID": "CVE-2024-0005",
+      "vendorProject": "Linux",
+      "product": "Linux Kernel",
+      "vulnerabilityName": "Linux Kernel Use-After-Free",
+      "dateAdded": "2026-03-01",
+      "shortDescription": "Linux kernel contains a use-after-free vulnerability in the netfilter subsystem.",
+      "requiredAction": "Apply updates per vendor instructions.",
+      "dueDate": "2026-04-01",
+      "knownRansomwareCampaignUse": "Unknown",
+      "notes": "https://kernel.org/",
+      "cwes": ["CWE-416"]
+    }
+  ]
+}

devops/compose/fixtures/integration-fixtures/advisory/default.conf

@@ -4,6 +4,36 @@ server {
 
     default_type application/json;
 
+    # -----------------------------------------------------------------------
+    # Advisory data endpoints (for pipeline sync tests)
+    # -----------------------------------------------------------------------
+
+    # KEV catalog — realistic CISA Known Exploited Vulnerabilities feed
+    location = /kev/known_exploited_vulnerabilities.json {
+        alias /etc/nginx/data/kev-catalog.json;
+        add_header Content-Type "application/json";
+        add_header ETag '"e2e-kev-v1"';
+    }
+
+    # GHSA list — GitHub Security Advisories (REST-style)
+    location = /ghsa/security/advisories {
+        alias /etc/nginx/data/ghsa-list.json;
+        add_header Content-Type "application/json";
+        add_header X-RateLimit-Limit "5000";
+        add_header X-RateLimit-Remaining "4990";
+        add_header X-RateLimit-Reset "1893456000";
+    }
+
+    # EPSS scores — Exploit Prediction Scoring System (CSV)
+    location = /epss/epss_scores-current.csv {
+        alias /etc/nginx/data/epss-scores.csv;
+        add_header Content-Type "text/csv";
+    }
+
+    # -----------------------------------------------------------------------
+    # Source health/connectivity endpoints (for onboarding tests)
+    # -----------------------------------------------------------------------
+
     # CERT-In (India) - unreachable from most networks
     location /cert-in {
         return 200 '{"status":"healthy","source":"cert-in","description":"CERT-In fixture proxy"}';

devops/compose/fixtures/integration-fixtures/runtime-host/default.conf

@@ -7,6 +7,11 @@ server {
         return 200 '{"status":"healthy","agent":"ebpf","version":"0.9.0","pid":1,"uptime_seconds":3600,"kernel":"6.1.0","probes_loaded":12,"events_per_second":450}';
     }
 
+    location /api/v1/health-degraded {
+        default_type application/json;
+        return 200 '{"status":"degraded","agent":"ebpf","version":"0.9.0","pid":1,"uptime_seconds":120,"kernel":"6.1.0","probes_loaded":3,"events_per_second":10}';
+    }
+
     location /api/v1/info {
         default_type application/json;
         return 200 '{"agent_type":"ebpf","hostname":"stellaops-runtime-host","os":"linux","arch":"amd64","kernel_version":"6.1.0","probes":["syscall_open","syscall_exec","net_connect","file_access","process_fork","mmap_exec","ptrace_attach","module_load","bpf_prog_load","cgroup_attach","namespace_create","capability_use"]}';