feat: Enhance MongoDB storage with event publishing and outbox support

- Added `MongoAdvisoryObservationEventPublisher` and `NatsAdvisoryObservationEventPublisher` for event publishing.
- Registered `IAdvisoryObservationEventPublisher` to choose between NATS and MongoDB based on configuration.
- Introduced `MongoAdvisoryObservationEventOutbox` for outbox pattern implementation.
- Updated service collection to include new event publishers and outbox.
- Added a new hosted service `AdvisoryObservationTransportWorker` for processing events.

feat: Update project dependencies

- Added `NATS.Client.Core` package to the project for NATS integration.

test: Add unit tests for AdvisoryLinkset normalization

- Created `AdvisoryLinksetNormalizationConfidenceTests` to validate confidence score calculations.

fix: Adjust confidence assertion in `AdvisoryObservationAggregationTests`

- Updated confidence assertion to allow a range instead of a fixed value.

test: Implement tests for AdvisoryObservationEventFactory

- Added `AdvisoryObservationEventFactoryTests` to ensure correct mapping and hashing of observation events.

chore: Configure test project for Findings Ledger

- Created `Directory.Build.props` for test project configuration.
- Added `StellaOps.Findings.Ledger.Exports.Unit.csproj` for unit tests related to findings ledger exports.

feat: Implement export contracts for findings ledger

- Defined export request and response contracts in `ExportContracts.cs`.
- Created various export item records for findings, VEX, advisories, and SBOMs.

feat: Add export functionality to Findings Ledger Web Service

- Implemented endpoints for exporting findings, VEX, advisories, and SBOMs.
- Integrated `ExportQueryService` for handling export logic and pagination.

test: Add tests for Node language analyzer phase 22

- Implemented `NodePhase22SampleLoaderTests` to validate loading of NDJSON fixtures.
- Created sample NDJSON file for testing.

chore: Set up isolated test environment for Node tests

- Added `node-isolated.runsettings` for isolated test execution.
- Created `node-tests-isolated.sh` script for running tests in isolation.

docs/modules/concelier/events/advisory.observation.updated@1.json

@@ -0,0 +1,27 @@
+{
+  "eventId": "8c5e9d4e-54c0-4fb3-9e0c-7c4cdbf74c6a",
+  "tenantId": "urn:tenant:123e4567-e89b-12d3-a456-426614174000",
+  "observationId": "6560606df3c5d6ad3b5a1234",
+  "advisoryId": "CVE-2024-99999",
+  "source": {
+    "vendor": "ghsa",
+    "stream": "advisories",
+    "api": "https://api.github.com/advisories",
+    "collectorVersion": "1.12.0"
+  },
+  "linksetSummary": {
+    "aliases": ["GHSA-xxxx-yyyy-zzzz", "CVE-2024-99999"],
+    "purls": ["pkg:npm/lodash@4.17.21"],
+    "cpes": ["cpe:/a:lodash:lodash:4.17.21"],
+    "scopes": ["runtime"],
+    "relationships": [
+      {"type": "contains", "source": "pkg:npm/lodash@4.17.21", "target": "file://dist/lodash.js", "provenance": "ghsa"}
+    ]
+  },
+  "supersedesId": "65605fdaf3c5d6ad3b5a0fff",
+  "documentSha": "2f8f568cc1ed3474f0a4564ddb8c64f4b4d176fbe0a2a98a02b88e822a4f5b6d",
+  "observationHash": "10f4fc0b5c1a1d4c266fafd2b4f45618f6a0a4b86087c3e67e4c1a2c8f38e990",
+  "ingestedAt": "2025-11-20T14:35:12Z",
+  "traceId": "trace-4f29d7f6f1f147da",
+  "replayCursor": "cs-0000000172-0001"
+}

docs/modules/concelier/events/advisory.observation.updated@1.md

@@ -0,0 +1,44 @@
+# advisory.observation.updated@1 · Event contract
+
+Purpose: unblock CONCELIER-GRAPH-21-002 by freezing the platform event shape for observation changes emitted by Concelier. This is the only supported event for observation churn; downstreams subscribe for evidence fan-out and replay bundles.
+
+## Envelope & transport
+- Subject: `concelier.advisory.observation.updated.v1`
+- Type/version: `advisory.observation.updated@1`
+- Transport: NATS (primary), Redis Stream `concelier:advisory.observation.updated:v1` (fallback). Both carry the same DSSE envelope.
+- DSSE payloadType: `application/vnd.stellaops.advisory.observation.updated.v1+json`.
+- Signature: Ed25519 via Platform Events signer; attach Rekor UUID when available. Offline kits treat the envelope as the source of truth.
+
+## Payload (JSON)
+| Field | Type | Rules |
+| --- | --- | --- |
+| `eventId` | string (uuid) | Generated by publisher; idempotency key.
+| `tenantId` | string | `urn:tenant:{uuid}`; required for multi-tenant routing.
+| `observationId` | string (ObjectId) | Mongo `_id` of the observation document.
+| `advisoryId` | string | Upstream advisory identifier (e.g., CVE, GHSA, vendor id).
+| `source` | object | `{ vendor, stream, api, collectorVersion }`; lowercase vendor, non-empty.
+| `linksetSummary` | object | `{ aliases: string[], purls: string[], cpes?: string[], scopes?: string[], relationships?: object[] }` all arrays pre-sorted ASCII.
+| `supersedesId` | string (ObjectId, optional) | Previous observation `_id` if this is a new revision; omitted otherwise.
+| `documentSha` | string | SHA-256 of raw upstream document.
+| `observationHash` | string | Stable hash over canonicalized observation JSON (tenant, source, advisoryId, documentSha, fetchedAt).
+| `ingestedAt` | string (ISO-8601 UTC) | Timestamp when appended.
+| `traceId` | string (optional) | Propagated from ingest job/request; aids join with logs/metrics.
+| `replayCursor` | string | Monotone cursor for offline bundle ordering (tick from change stream resume token).
+
+### Determinism & ordering
+- Arrays sorted ASCII; objects field-sorted when hashing.
+- `eventId` + `replayCursor` provide exactly-once consumer handling; duplicates must be ignored when `observationHash` unchanged.
+- No judgments: only raw facts and hash pointers; any derived severity/merge content is forbidden.
+
+### Error contracts for Scheduler
+- Retryable NATS/Redis failures use backoff capped at 30s; after 5 attempts, emit `concelier.events.dlq` with the same envelope and `error` field describing transport failure.
+- Consumers must NACK on schema validation failure; publisher logs `ERR_EVENT_SCHEMA` and quarantines the offending observation id.
+
+## Sample payload
+See `advisory.observation.updated@1.sample.json` (canonical field order, ASCII sorted arrays). Hashes intentionally short for readability; replace with real values in tests.
+
+## Schema
+`advisory.observation.updated@1.schema.json` provides a JSON Schema (draft 2020-12) for runtime validation; any additional fields are rejected.
+
+## Compatibility note
+Sprint tracker referenced `sbom.observation.updated`; this contract standardises on `advisory.observation.updated@1`. If a legacy alias is required for interim consumers, mirror the envelope on subject `surface.sbom.observation.updated.v1` with identical payload.

docs/modules/concelier/events/advisory.observation.updated@1.sample.json

@@ -0,0 +1,27 @@
+{
+  "eventId": "8c5e9d4e-54c0-4fb3-9e0c-7c4cdbf74c6a",
+  "tenantId": "urn:tenant:123e4567-e89b-12d3-a456-426614174000",
+  "observationId": "6560606df3c5d6ad3b5a1234",
+  "advisoryId": "CVE-2024-99999",
+  "source": {
+    "vendor": "ghsa",
+    "stream": "advisories",
+    "api": "https://api.github.com/advisories",
+    "collectorVersion": "1.12.0"
+  },
+  "linksetSummary": {
+    "aliases": ["GHSA-xxxx-yyyy-zzzz", "CVE-2024-99999"],
+    "purls": ["pkg:npm/lodash@4.17.21"],
+    "cpes": ["cpe:/a:lodash:lodash:4.17.21"],
+    "scopes": ["runtime"],
+    "relationships": [
+      {"type": "contains", "source": "pkg:npm/lodash@4.17.21", "target": "file://dist/lodash.js", "provenance": "ghsa"}
+    ]
+  },
+  "supersedesId": "65605fdaf3c5d6ad3b5a0fff",
+  "documentSha": "2f8f568cc1ed3474f0a4564ddb8c64f4b4d176fbe0a2a98a02b88e822a4f5b6d",
+  "observationHash": "10f4fc0b5c1a1d4c266fafd2b4f45618f6a0a4b86087c3e67e4c1a2c8f38e990",
+  "ingestedAt": "2025-11-20T14:35:12Z",
+  "traceId": "trace-4f29d7f6f1f147da",
+  "replayCursor": "cs-0000000172-0001"
+}

docs/modules/concelier/events/advisory.observation.updated@1.schema.json

@@ -0,0 +1,68 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.org/concelier/advisory.observation.updated@1.schema.json",
+  "title": "advisory.observation.updated@1",
+  "type": "object",
+  "required": [
+    "eventId",
+    "tenantId",
+    "observationId",
+    "advisoryId",
+    "source",
+    "linksetSummary",
+    "documentSha",
+    "observationHash",
+    "ingestedAt",
+    "replayCursor"
+  ],
+  "additionalProperties": false,
+  "properties": {
+    "eventId": { "type": "string", "format": "uuid" },
+    "tenantId": { "type": "string", "pattern": "^urn:tenant:[0-9a-fA-F-]{36}$" },
+    "observationId": { "type": "string", "pattern": "^[a-f0-9]{24}$" },
+    "advisoryId": { "type": "string", "minLength": 1 },
+    "source": {
+      "type": "object",
+      "required": ["vendor", "stream", "api", "collectorVersion"],
+      "additionalProperties": false,
+      "properties": {
+        "vendor": { "type": "string", "minLength": 1 },
+        "stream": { "type": "string", "minLength": 1 },
+        "api": { "type": "string", "minLength": 1 },
+        "collectorVersion": { "type": "string", "minLength": 1 }
+      }
+    },
+    "linksetSummary": {
+      "type": "object",
+      "required": ["aliases", "purls"],
+      "additionalProperties": false,
+      "properties": {
+        "aliases": { "type": "array", "items": { "type": "string" }, "uniqueItems": true },
+        "purls": { "type": "array", "items": { "type": "string" }, "uniqueItems": true },
+        "cpes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true },
+        "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true },
+        "relationships": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["type", "source", "target"],
+            "additionalProperties": false,
+            "properties": {
+              "type": { "type": "string" },
+              "source": { "type": "string" },
+              "target": { "type": "string" },
+              "provenance": { "type": "string" }
+            }
+          },
+          "uniqueItems": false
+        }
+      }
+    },
+    "supersedesId": { "type": "string", "pattern": "^[a-f0-9]{24}$" },
+    "documentSha": { "type": "string", "pattern": "^[a-f0-9]{64}$" },
+    "observationHash": { "type": "string", "pattern": "^[a-f0-9]{64}$" },
+    "ingestedAt": { "type": "string", "format": "date-time" },
+    "traceId": { "type": "string" },
+    "replayCursor": { "type": "string", "minLength": 1 }
+  }
+}