Add unit and integration tests for VexCandidateEmitter and SmartDiff repositories

- Implemented comprehensive unit tests for VexCandidateEmitter to validate candidate emission logic based on various scenarios including absent and present APIs, confidence thresholds, and rate limiting.
- Added integration tests for SmartDiff PostgreSQL repositories, covering snapshot storage and retrieval, candidate storage, and material risk change handling.
- Ensured tests validate correct behavior for storing, retrieving, and querying snapshots and candidates, including edge cases and expected outcomes.

docs/10_CONCELIER_CLI_QUICKSTART.md

@@ -10,7 +10,7 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
 ## 0 · Prerequisites
 
 - .NET SDK **10.0.100-preview** (matches `global.json`)
-- MongoDB instance reachable from the host (local Docker or managed)
+- PostgreSQL instance reachable from the host (local Docker or managed)
 - `trivy-db` binary on `PATH` for Trivy exports (and `oras` if publishing to OCI)
 - Plugin assemblies present in `StellaOps.Concelier.PluginBinaries/` (already included in the repo)
 - Optional: Docker/Podman runtime if you plan to run scanners locally
@@ -30,7 +30,7 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
    cp etc/concelier.yaml.sample etc/concelier.yaml
    ```
 
-2. Edit `etc/concelier.yaml` and update the MongoDB DSN (and optional database name).
+2. Edit `etc/concelier.yaml` and update the PostgreSQL DSN (and optional database name).
    The default template configures plug-in discovery to look in `StellaOps.Concelier.PluginBinaries/`
    and disables remote telemetry exporters by default.
 
@@ -38,7 +38,7 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
    `CONCELIER_`. Example:
 
    ```bash
-   export CONCELIER_STORAGE__DSN="mongodb://user:pass@mongo:27017/concelier"
+   export CONCELIER_STORAGE__DSN="Host=localhost;Port=5432;Database=concelier;Username=user;Password=pass"
    export CONCELIER_TELEMETRY__ENABLETRACING=false
    ```
 
@@ -48,11 +48,11 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
  dotnet run --project src/Concelier/StellaOps.Concelier.WebService
   ```
 
-   On startup Concelier validates the options, boots MongoDB indexes, loads plug-ins,
+   On startup Concelier validates the options, boots PostgreSQL indexes, loads plug-ins,
    and exposes:
 
    - `GET /health` – returns service status and telemetry settings
-   - `GET /ready` – performs a MongoDB `ping`
+   - `GET /ready` – performs a PostgreSQL `ping`
    - `GET /jobs` + `POST /jobs/{kind}` – inspect and trigger connector/export jobs
 
   > **Security note** – authentication now ships via StellaOps Authority. Keep
@@ -263,8 +263,8 @@ a problem document.
   triggering Concelier jobs.
 - Export artefacts are materialised under the configured output directories and
   their manifests record digests.
-- MongoDB contains the expected `document`, `dto`, `advisory`, and `export_state`
-  collections after a run.
+- PostgreSQL contains the expected `document`, `dto`, `advisory`, and `export_state`
+  tables after a run.
 
 ---
 
@@ -273,7 +273,7 @@ a problem document.
 - Treat `etc/concelier.yaml.sample` as the canonical template. CI/CD should copy it to
   the deployment artifact and replace placeholders (DSN, telemetry endpoints, cron
   overrides) with environment-specific secrets.
-- Keep secret material (Mongo credentials, OTLP tokens) outside of the repository;
+- Keep secret material (PostgreSQL credentials, OTLP tokens) outside of the repository;
   inject them via secret stores or pipeline variables at stamp time.
 - When building container images, include `trivy-db` (and `oras` if used) so air-gapped
   clusters do not need outbound downloads at runtime.