Add unit tests for SBOM ingestion and transformation

- Implement `SbomIngestServiceCollectionExtensionsTests` to verify the SBOM ingestion pipeline exports snapshots correctly.
- Create `SbomIngestTransformerTests` to ensure the transformation produces expected nodes and edges, including deduplication of license nodes and normalization of timestamps.
- Add `SbomSnapshotExporterTests` to test the export functionality for manifest, adjacency, nodes, and edges.
- Introduce `VexOverlayTransformerTests` to validate the transformation of VEX nodes and edges.
- Set up project file for the test project with necessary dependencies and configurations.
- Include JSON fixture files for testing purposes.

etc/bootstrap/notify/rules/airgap-ops.rule.json

@@ -0,0 +1,50 @@
+{
+  "schemaVersion": "notify.rule@1",
+  "ruleId": "rule-airgap-ops",
+  "tenantId": "bootstrap",
+  "name": "Air-gap operations alerts",
+  "description": "Send time-drift, bundle import, and portable export notifications with remediation steps.",
+  "enabled": true,
+  "match": {
+    "eventKinds": [
+      "airgap.time.drift",
+      "airgap.bundle.import",
+      "airgap.portable.export.completed"
+    ],
+    "minSeverity": "medium",
+    "labels": [],
+    "namespaces": [],
+    "repositories": [],
+    "digests": [],
+    "componentPurls": [],
+    "verdicts": [],
+    "kevOnly": false,
+    "vex": {
+      "includeAcceptedJustifications": true,
+      "includeRejectedJustifications": true,
+      "includeUnknownJustifications": true,
+      "justificationKinds": []
+    }
+  },
+  "actions": [
+    {
+      "actionId": "email-airgap-ops",
+      "channel": "email:airgap-ops",
+      "template": "airgap-ops",
+      "enabled": true,
+      "metadata": {
+        "locale": "en-us"
+      }
+    }
+  ],
+  "labels": {
+    "category": "airgap"
+  },
+  "metadata": {
+    "source": "bootstrap-pack"
+  },
+  "createdBy": "bootstrap-pack",
+  "createdAt": "2025-11-03T08:00:00Z",
+  "updatedBy": "bootstrap-pack",
+  "updatedAt": "2025-11-03T08:00:00Z"
+}

etc/bootstrap/notify/templates/airgap-ops-email.template.json

@@ -0,0 +1,16 @@
+{
+  "schemaVersion": "notify.template@1",
+  "templateId": "tmpl-airgap-ops-email",
+  "tenantId": "bootstrap",
+  "channelType": "email",
+  "key": "airgap-ops",
+  "locale": "en-us",
+  "renderMode": "html",
+  "format": "email",
+  "description": "Air-gapped operations alert for time drift, bundle imports, and portable exports.",
+  "body": "<p><strong>Air-gap status:</strong> {{payload.status}} (severity {{payload.severity}})</p>\n{{#if payload.driftSeconds}}<p>Current drift: {{payload.driftSeconds}} seconds. Remaining budget: {{payload.remainingSeconds}} seconds (anchor issued {{payload.anchorIssuedAt}}).</p>{{/if}}\n{{#if payload.bundleId}}<p><strong>Portable bundle:</strong> <code>{{payload.bundleId}}</code> (profile {{payload.profile}}) exported at {{payload.exportedAt}}.</p>{{/if}}\n{{#if payload.sizeBytes}}<p>Bundle size: {{payload.sizeBytes}} bytes.</p>{{/if}}\n{{#if payload.checksum.sha256}}<p>Checksum (SHA-256): <code>{{payload.checksum.sha256}}</code></p>{{/if}}\n{{#if payload.checksum.sha512}}<p>Checksum (SHA-512): <code>{{payload.checksum.sha512}}</code></p>{{/if}}\n{{#if payload.locations}}<p><strong>Locations</strong></p><ul>{{#each payload.locations}}<li>{{#if path}}File: <code>{{path}}</code>{{/if}}{{#if reference}}OCI: <code>{{reference}}</code>{{/if}}{{#if availableUntil}} (available until {{availableUntil}}){{/if}}</li>{{/each}}</ul>{{/if}}\n{{#if payload.warnings}}<p><strong>Warnings</strong></p><ul>{{#each payload.warnings}}<li>{{message}}</li>{{/each}}</ul>{{/if}}\n<p>{{payload.remediation}}</p>\n{{#if payload.links.docs}}<p>{{link \"Review guidance\" payload.links.docs}}</p>{{/if}}\n{{#if payload.links.manifest}}<p>{{link \"View manifest\" payload.links.manifest}}</p>{{/if}}",
+  "metadata": {
+    "author": "bootstrap-pack",
+    "version": "2025-11-03"
+  }
+}