commit and up

docs/07_HIGH_LEVEL_ARCHITECTURE.md

@@ -140,7 +140,7 @@ intra‑component reach‑ins.
 | `identity`      | Embedded OAuth2/OIDC (OpenIddict 6)                | MIT OpenIddict          | `IIdentityProvider` for LDAP/SAML/JWT gateway     |
 | `pluginloader`  | Discover DLLs, SemVer gate, optional Cosign verify | Reflection + Cosign     | `IPluginLifecycleHook` for telemetry              |
 | `scanning`      | SBOM‑ & image‑flow orchestration; runner pool      | Trivy CLI (default)     | `IScannerRunner` – e.g., Grype, Copacetic, Clair  |
-| `feedmerge`    | Nightly NVD merge & feed enrichment                | Hangfire job            | drop‑in `*.Schedule.dll` for OSV, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU feeds |
+| `feedser` (vulnerability ingest/merge/export service) | Nightly NVD merge & feed enrichment                | Hangfire job            | drop-in `*.Schedule.dll` for OSV, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU feeds |
 | `tls`           | TLS provider abstraction                           | OpenSSL                 | `ITlsProvider` for custom suites (incl. **SM2**, where law or security requires it) |
 | `reporting`     | Render HTML/PDF reports                            | RazorLight              | `IReportRenderer`                                 |
 | `ui`            | Angular SPA & i18n                                 | Angular {{ angular }}   | new locales via `/locales/{lang}.json`            |
@@ -152,7 +152,7 @@ classDiagram
     class identity
     class pluginloader
     class scanning
-    class feedmerger
+    class feedser
     class tls
     class reporting
     class ui
@@ -163,13 +163,13 @@ classDiagram
     configuration ..> identity : Uses
     identity ..> pluginloader : Authenticates Plugins
     pluginloader ..> scanning : Loads Scanner Runners
-    scanning ..> feedmerger : Triggers Feed Merges
+    scanning ..> feedser : Triggers Feed Merges
     tls ..> AllModules : Provides TLS Abstraction
     reporting ..> ui : Renders Reports for UI
-    scheduling ..> feedmerger : Schedules Nightly Jobs
+    scheduling ..> feedser : Schedules Nightly Jobs
 
     note for scanning "Pluggable: ISScannerRunner<br>e.g., Trivy, Grype"
-    note for feedmerger "Pluggable: *.Schedule.dll<br>e.g., OSV, GHSA Feeds"
+    note for feedser "Pluggable: *.Schedule.dll<br>e.g., OSV, GHSA Feeds"
     note for identity "Pluggable: IIdentityProvider<br>e.g., LDAP, SAML"
     note for reporting "Pluggable: IReportRenderer<br>e.g., Custom PDF"
 ```
@@ -220,30 +220,29 @@ Builder collects layer digests.
 `POST /layers/missing` → Redis SDIFF → missing layer list (< 20 ms).
 SBOM generated only for those layers and uploaded.
 
-### 4.3 Feed Enrichment
-
-```mermaid
-sequenceDiagram
-    participant CRON as Nightly Cron (Hangfire)
-    participant FM as Feed Merger
-    participant NVD as NVD Feed
-    participant OSV as OSV Plugin (Optional)
-    participant GHSA as GHSA Plugin (Optional)
-    participant REGC as Regional Catalogue Plugin (Optional)
-    participant REDIS as Redis (Merged Feed Storage)
-    participant UI as Web UI
-
-    CRON->>FM: Trigger at 00:59
-    FM->>NVD: Fetch & Merge NVD Data
-    alt Optional Plugins
-        FM->>OSV: Merge OSV Feed
-        FM->>GHSA: Merge GHSA Feed
-        FM->>REGC: Merge Regional Catalogue Feed
-    end
-    FM->>REDIS: Persist Merged Feed
-    REDIS-->>UI: Update Feed Freshness
-    UI->>UI: Display Green 'Feed Age' Tile
-```
+### 4.3 Feedser Harvest & Export
+
+```mermaid
+sequenceDiagram
+    participant SCHED as Feedser Scheduler
+    participant CONN as Source Connector Plug-in
+    participant FEEDSER as Feedser Core
+    participant MONGO as MongoDB (Canonical Advisories)
+    participant EXPORT as Exporter (JSON / Trivy DB)
+    participant ART as Artifact Store / Offline Kit
+
+    SCHED->>CONN: Trigger window (init/resume)
+    CONN->>CONN: Fetch source documents + metadata
+    CONN->>FEEDSER: Submit raw document for parsing
+    FEEDSER->>FEEDSER: Parse & normalize to DTO
+    FEEDSER->>FEEDSER: Merge & deduplicate canonical advisory
+    FEEDSER->>MONGO: Write advisory, provenance, merge_event
+    FEEDSER->>EXPORT: Queue export delta request
+    EXPORT->>MONGO: Read canonical snapshot/deltas
+    EXPORT->>EXPORT: Build deterministic JSON & Trivy DB artifacts
+    EXPORT->>ART: Publish artifacts / Offline Kit bundle
+    ART-->>FEEDSER: Record export state + digests
+```
 
 ### 4.4 Identity & Auth Flow
 
@@ -264,15 +263,15 @@ without Core changes.
 
 | Store          | Primary Use                                   | Why chosen                     |
 |----------------|-----------------------------------------------|--------------------------------|
-| **Redis 7**    | Queue, SBOM cache, Trivy DB mirror            | Sub‑1 ms P99 latency           |
-| **MongoDB**    | History > 180 d, audit logs, policy versions  | Optional; document‑oriented    |
-| **Local tmpfs**| Trivy layer cache (`/var/cache/trivy`)        | Keeps disk I/O off hot path    |
+| **MongoDB**    | Feedser canonical advisories, merge events, export state | Deterministic canonical store with flexible schema |
+| **Redis 7**    | CLI quotas, short-lived job scheduling, layer diff cache | Sub-1 ms P99 latency for hot-path coordination |
+| **Local tmpfs**| Trivy layer cache (`/var/cache/trivy`)        | Keeps disk I/O off hot path    |
 
 ```mermaid
 flowchart LR
     subgraph "Persistence Layers"
-        REDIS[(Redis: Fast Cache/Queues<br>Sub-1ms P99)]
-        MONGO[(MongoDB: Optional Audit/History<br>>180 Days)]
+        REDIS[(Redis: Quotas & Short-lived Queues<br>Sub-1ms P99)]
+        MONGO[(MongoDB: Canonical Advisories<br>Merge Events & Export State)]
         TMPFS[(Local tmpfs: Trivy Layer Cache<br>Low I/O Overhead)]
     end
 
@@ -294,7 +293,7 @@ flowchart LR
 | **S‑1** | Pipeline Scan & Alert     | Stella CLI → SBOM → `/scan` → policy verdict → CI exit code & link to *Scan Detail*                |
 | **S‑2** | Mute Noisy CVE            | Dev toggles **Mute** in UI → rule stored in Redis → next build passes                           |
 | **S‑3** | Nightly Re‑scan           | `SbomNightly.Schedule` re‑queues SBOMs (mask‑filter) → dashboard highlights new Criticals       |
-| **S‑4** | Feed Update Cycle         | `FeedMerge Service` merges feeds → UI *Feed Age* tile turns green                                      |
+| **S‑4** | Feed Update Cycle         | `Feedser (vulnerability ingest/merge/export service)` refreshes feeds → UI *Feed Age* tile turns green |
 | **S‑5** | Custom Report Generation  | Plug‑in registers `IReportRenderer` → `/report/custom/{digest}` → CI downloads artifact         |
 
 ```mermaid