Add unit and integration tests for VexCandidateEmitter and SmartDiff repositories

- Implemented comprehensive unit tests for VexCandidateEmitter to validate candidate emission logic based on various scenarios including absent and present APIs, confidence thresholds, and rate limiting.
- Added integration tests for SmartDiff PostgreSQL repositories, covering snapshot storage and retrieval, candidate storage, and material risk change handling.
- Ensured tests validate correct behavior for storing, retrieving, and querying snapshots and candidates, including edge cases and expected outcomes.

docs/11_DATA_SCHEMAS.md

@@ -1,7 +1,7 @@
-# Data Schemas & Persistence Contracts
+# Data Schemas & Persistence Contracts
 
 *Audience* – backend developers, plug‑in authors, DB admins.  
-*Scope* – describes **Redis**, **MongoDB** (optional), and on‑disk blob shapes that power Stella Ops.
+*Scope* – describes **Redis**, **PostgreSQL**, and on‑disk blob shapes that power Stella Ops.
 
 ---
 
@@ -63,7 +63,7 @@ Merging logic inside `scanning` module stitches new data onto the cached full SB
 | `layers:<digest>`             | set     | 90d  | Layers already possessing SBOMs (delta cache)    |
 | `policy:active`                     | string  | ∞    | YAML **or** Rego ruleset                         |
 | `quota:<token>`              | string  | *until next UTC midnight* | Per‑token scan counter for Free tier ({{ quota_token }} scans). |
-| `policy:history`                    | list    | ∞    | Change audit IDs (see Mongo)                     |
+| `policy:history`                    | list    | ∞    | Change audit IDs (see PostgreSQL)                |
 | `feed:nvd:json`                     | string  | 24h  | Normalised feed snapshot                         |
 | `locator:<imageDigest>`        | string  | 30d  | Maps image digest → sbomBlobId                   |
 | `metrics:…`                         | various | —    | Prom / OTLP runtime metrics                      |
@@ -73,16 +73,16 @@ Merging logic inside `scanning` module stitches new data onto the cached full SB
 
 ---
 
-## 3 MongoDB Collections (Optional)
+## 3 PostgreSQL Tables
 
-Only enabled when `MONGO_URI` is supplied (for long‑term audit).
+PostgreSQL is the canonical persistent store for long-term audit and history.
 
-| Collection         | Shape (summary)                                            | Indexes                             |
+| Table              | Shape (summary)                                            | Indexes                             |
 |--------------------|------------------------------------------------------------|-------------------------------------|
-| `sbom_history`     | Wrapper JSON + `replaceTs` on overwrite                    | `{imageDigest}` `{created}`         |
-| `policy_versions`  | `{_id, yaml, rego, authorId, created}`                    | `{created}`                         |
-| `attestations` ⭑  | SLSA provenance doc + Rekor log pointer                    | `{imageDigest}`                     |
-| `audit_log`        | Fully rendered RFC 5424 entries (UI & CLI actions)         | `{userId}` `{ts}`                   |
+| `sbom_history`     | Wrapper JSON + `replace_ts` on overwrite                   | `(image_digest)` `(created)`        |
+| `policy_versions`  | `{id, yaml, rego, author_id, created}`                     | `(created)`                         |
+| `attestations` ⭑  | SLSA provenance doc + Rekor log pointer                    | `(image_digest)`                    |
+| `audit_log`        | Fully rendered RFC 5424 entries (UI & CLI actions)         | `(user_id)` `(ts)`                  |
 
 Schema detail for **policy_versions**:
 
@@ -99,15 +99,15 @@ Samples live under `samples/api/scheduler/` (e.g., `schedule.json`, `run.json`,
 }
 ```
 
-### 3.1 Scheduler Sprints 16 Artifacts
+### 3.1 Scheduler Sprints 16 Artifacts
 
-**Collections.** `schedules`, `runs`, `impact_snapshots`, `audit` (module‑local). All documents reuse the canonical JSON emitted by `StellaOps.Scheduler.Models` so agents and fixtures remain deterministic.
+**Tables.** `schedules`, `runs`, `impact_snapshots`, `audit` (module-local). All rows use the canonical JSON emitted by `StellaOps.Scheduler.Models` so agents and fixtures remain deterministic.
 
-#### 3.1.1 Schedule (`schedules`)
+#### 3.1.1 Schedule (`schedules`)
 
 ```jsonc
 {
-  "_id": "sch_20251018a",
+  "id": "sch_20251018a",
   "tenantId": "tenant-alpha",
   "name": "Nightly Prod",
   "enabled": true,
@@ -468,7 +468,7 @@ Planned for Q1‑2026 (kept here for early plug‑in authors).
 * `actions[].throttle` serialises as ISO 8601 duration (`PT5M`), mirroring worker backoff guardrails.
 * `vex` gates let operators exclude accepted/not‑affected justifications; omit the block to inherit default behaviour.
 * Use `StellaOps.Notify.Models.NotifySchemaMigration.UpgradeRule(JsonNode)` when deserialising legacy payloads that might lack `schemaVersion` or retain older revisions.
-* Soft deletions persist `deletedAt` in Mongo (and disable the rule); repository queries automatically filter them.
+* Soft deletions persist `deletedAt` in PostgreSQL (and disable the rule); repository queries automatically filter them.
 
 ### 6.2 Channel highlights (`notify-channel@1`)
 
@@ -523,10 +523,10 @@ Integration tests can embed the sample fixtures to guarantee deterministic seria
 
 ## 7 Migration Notes
 
-1. **Add `format` column** to existing SBOM wrappers; default to `trivy-json-v2`.  
+1. **Add `format` column** to existing SBOM wrappers; default to `trivy-json-v2`.  
 2. **Populate `layers` & `partial`** via backfill script (ship with `stellopsctl migrate` wizard).  
-3. Policy YAML previously stored in Redis → copy to Mongo if persistence enabled.  
-4. Prepare `attestations` collection (empty) – safe to create in advance.
+3. Policy YAML previously stored in Redis → copy to PostgreSQL if persistence enabled.  
+4. Prepare `attestations` table (empty) – safe to create in advance.
 
 ---