Add unit and integration tests for VexCandidateEmitter and SmartDiff repositories

- Implemented comprehensive unit tests for VexCandidateEmitter to validate candidate emission logic based on various scenarios including absent and present APIs, confidence thresholds, and rate limiting.
- Added integration tests for SmartDiff PostgreSQL repositories, covering snapshot storage and retrieval, candidate storage, and material risk change handling.
- Ensured tests validate correct behavior for storing, retrieving, and querying snapshots and candidates, including edge cases and expected outcomes.

docs/14_GLOSSARY_OF_TERMS.md

@@ -20,7 +20,7 @@ open a PR and append it alphabetically.*
 | **ADR** | *Architecture Decision Record* – lightweight Markdown file that captures one irreversible design decision. | ADR template lives at `/docs/adr/` |
 | **AIRE** | *AI Risk Evaluator* – optional Plus/Pro plug‑in that suggests mute rules using an ONNX model. | Commercial feature |
 | **Azure‑Pipelines** | CI/CD service in Microsoft Azure DevOps. | Recipe in Pipeline Library |
-| **BDU** | Russian (FSTEC) national vulnerability database: *База данных уязвимостей*. | Merged with NVD by Concelier (vulnerability ingest/merge/export service) |
+| **BDU** | Russian (FSTEC) national vulnerability database: *База данных уязвимостей*. | Merged with NVD by Concelier (vulnerability ingest/merge/export service) |
 | **BuildKit** | Modern Docker build engine with caching and concurrency. | Needed for layer cache patterns |
 | **CI** | *Continuous Integration* – automated build/test pipeline. | Stella integrates via CLI |
 | **Cosign** | Open‑source Sigstore tool that signs & verifies container images **and files**. | Images & OUK tarballs |
@@ -36,7 +36,7 @@ open a PR and append it alphabetically.*
 | **Digest (image)** | SHA‑256 hash uniquely identifying a container image or layer. | Pin digests for reproducible builds |
 | **Docker‑in‑Docker (DinD)** | Running Docker daemon inside a CI container. | Used in GitHub / GitLab recipes |
 | **DTO** | *Data Transfer Object* – C# record serialised to JSON. | Schemas in doc 11 |
-| **Concelier** | Vulnerability ingest/merge/export service consolidating OVN, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU feeds into the canonical MongoDB store and export artifacts. | Cron default `0 1 * * *` |
+| **Concelier** | Vulnerability ingest/merge/export service consolidating OVN, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU feeds into the canonical PostgreSQL store and export artifacts. | Cron default `0 1 * * *` |
 | **FSTEC** | Russian regulator issuing SOBIT certificates. | Pro GA target |
 | **Gitea** | Self‑hosted Git service – mirrors GitHub repo. | OSS hosting |
 | **GOST TLS** | TLS cipher‑suites defined by Russian GOST R 34.10‑2012 / 34.11‑2012. | Provided by `OpenSslGost` or CryptoPro |
@@ -53,7 +53,7 @@ open a PR and append it alphabetically.*
 | **Hyperfine** | CLI micro‑benchmark tool used in Performance Workbook. | Outputs CSV |
 | **JWT** | *JSON Web Token* – bearer auth token issued by OpenIddict. | Scope `scanner`, `admin`, `ui` |
 | **K3s / RKE2** | Lightweight Kubernetes distributions (Rancher). | Supported in K8s guide |
-| **Kubernetes NetworkPolicy** | K8s resource controlling pod traffic. | Redis/Mongo isolation |
+| **Kubernetes NetworkPolicy** | K8s resource controlling pod traffic. | Redis/PostgreSQL isolation |
 
 ---
 
@@ -61,7 +61,7 @@ open a PR and append it alphabetically.*
 
 | Term | Definition | Notes |
 |------|------------|-------|
-| **Mongo (optional)** | Document DB storing > 180 day history and audit logs. | Off by default in Core |
+| **PostgreSQL** | Relational DB storing history and audit logs. | Required for production |
 | **Mute rule** | JSON object that suppresses specific CVEs until expiry. | Schema `mute-rule‑1.json` |
 | **NVD** | US‑based *National Vulnerability Database*. | Primary CVE source |
 | **ONNX** | Portable neural‑network model format; used by AIRE. | Runs in‑process |