Add unit tests for SBOM ingestion and transformation

- Implement `SbomIngestServiceCollectionExtensionsTests` to verify the SBOM ingestion pipeline exports snapshots correctly.
- Create `SbomIngestTransformerTests` to ensure the transformation produces expected nodes and edges, including deduplication of license nodes and normalization of timestamps.
- Add `SbomSnapshotExporterTests` to test the export functionality for manifest, adjacency, nodes, and edges.
- Introduce `VexOverlayTransformerTests` to validate the transformation of VEX nodes and edges.
- Set up project file for the test project with necessary dependencies and configurations.
- Include JSON fixture files for testing purposes.

docs/modules/advisory-ai/architecture.md

@@ -56,6 +56,24 @@
   - Dependency paths (runtime vs build/test, deduped by coordinate chain).
   - Tenant environment flags (prod/stage toggles) with optional blast radius summary.
   - Service-side clamps: max 500 timeline entries, 200 dependency paths, with client-provided toggles for env/blast data.
+  - `AddSbomContextHttpClient(...)` registers the typed HTTP client that calls `/v1/sbom/context`, while `NullSbomContextClient` remains the safe default for environments that have not yet exposed the SBOM service.
+
+  **Sample configuration** (wire real SBOM base URL + API key):
+
+  ```csharp
+  services.AddSbomContextHttpClient(options =>
+  {
+      options.BaseAddress = new Uri("https://sbom-service.internal");
+      options.Endpoint = "/v1/sbom/context";
+      options.ApiKey = configuration["SBOM_SERVICE_API_KEY"];
+      options.UserAgent = "stellaops-advisoryai/1.0";
+      options.Tenant = configuration["TENANT_ID"];
+  });
+
+  services.AddAdvisoryPipeline();
+  ```
+
+  After configuration, issue a smoke request (e.g., `ISbomContextRetriever.RetrieveAsync`) during deployment validation to confirm end-to-end connectivity and credentials before enabling Advisory AI endpoints.
 
 Retriever requests and results are trimmed/normalized before hashing; metadata (counts, provenance keys) is returned for downstream guardrails. Unit coverage ensures deterministic ordering and flag handling.
 
@@ -69,6 +87,7 @@ All context references include `content_hash` and `source_id` enabling verifiabl
   - Citations follow `[n]` indexing referencing actual sources.
   - Remediation suggestions only cite policy-approved sources (fixed versions, vendor hotfixes).
 - Moderation/PII filters prevent leaking secrets; responses failing validation are rejected and logged.
+- Pre-flight guardrails redact secrets (AWS keys, generic API tokens, PEM blobs), block "ignore previous instructions"-style prompt injection attempts, enforce citation presence, and cap prompt payload length (default 16 kB). Guardrail outcomes and redaction counts surface via `advisory_guardrail_blocks` / `advisory_outputs_stored` metrics.
 
 ## 5) Deterministic tooling
 
@@ -95,10 +114,8 @@ All context references include `content_hash` and `source_id` enabling verifiabl
 
 ## 8) APIs
 
-- `POST /v1/advisory-ai/summaries` — generate (or retrieve cached) summary for `{advisoryKey, artifactId, policyVersion}`.
-- `POST /v1/advisory-ai/conflicts` — explain conflicting VEX statements with trust ranking.
-- `POST /v1/advisory-ai/remediation` — fetch remediation plan with target fix versions, prerequisites, verification steps.
-- `GET /v1/advisory-ai/outputs/{hash}` — retrieve cached artefact (used by CLI/Console/Export Center).
+- `POST /api/v1/advisory/{task}` — executes Summary/Conflict/Remediation pipeline (`task` ∈ `summary|conflict|remediation`). Requests accept `{advisoryKey, artifactId?, policyVersion?, profile, preferredSections?, forceRefresh}` and return sanitized prompt payloads, citations, guardrail metadata, provenance hash, and cache hints.
+- `GET /api/v1/advisory/outputs/{cacheKey}?taskType=SUMMARY&profile=default` — retrieves cached artefacts for downstream consumers (Console, CLI, Export Center). Guardrail state and provenance hash accompany results.
 
 All endpoints accept `profile` parameter (default `fips-local`) and return `output_hash`, `input_digest`, and `citations` for verification.
 

docs/modules/advisory-ai/orchestration-pipeline.md

@@ -50,6 +50,7 @@ Wire the deterministic pipeline (Summary / Conflict / Remediation flows) into th
 - **Scope:** Implement prompt assembler, connect to guardrails, persist cache entries w/ DSSE metadata.
 - **Dependencies:** Prompt templates, cache storage decision, guardrail interface.
 - **Exit:** Deterministic outputs stored; force-refresh honoured; tests cover prompt assembly + caching.
+> 2025-11-03: Prompt assembler now emits deterministic JSON payloads, guardrail pipeline wiring is stubbed for upcoming security hardening, and outputs persist with DSSE-ready provenance metadata plus golden test coverage.
 
 ### AIAI-31-004C (CLI integration & docs)
 
@@ -57,6 +58,13 @@ Wire the deterministic pipeline (Summary / Conflict / Remediation flows) into th
 - **Dependencies:** Service endpoints stable, caching semantics documented.
 - **Exit:** CLI command produces deterministic output, docs updated, smoke tests recorded.
 
+### AIAI-31-006 (Service API surface)
+
+- **Scope:** Expose REST endpoints for summary/conflict/remediation execution plus cached output retrieval (`POST /api/v1/advisory/{task}`, `GET /api/v1/advisory/outputs/{cacheKey}`). Include guardrail execution, provenance hashing, metrics, and stubs for RBAC/rate limits.
+- **Dependencies:** Guardrail enforcement (AIAI-31-005), Authority scope wiring (`advisory-ai:view` / `advisory-ai:operate`), Offline kit docs.
+- **Exit:** Endpoints return sanitized prompts with citations, guardrail metadata, DSSE hash, and plan cache indicators; OpenAPI description updated; rate-limit hooks ready for Authority integration.
+> 2025-11-03: Initial REST surface shipped – direct execution runs through guardrail pipeline, outputs persist with DSSE-ready provenance, metrics `advisory_outputs_stored`/`advisory_guardrail_blocks` emit, and cache retrieval endpoint exposes stored artefacts (RBAC/header enforcement pending scope delivery).
+
 ### Supporting tasks (other guilds)
 
 - **AUTH-AIAI-31-004** – Update scopes and DSSE policy (Authority guild).