Add unit and integration tests for VexCandidateEmitter and SmartDiff repositories

- Implemented comprehensive unit tests for VexCandidateEmitter to validate candidate emission logic based on various scenarios including absent and present APIs, confidence thresholds, and rate limiting.
- Added integration tests for SmartDiff PostgreSQL repositories, covering snapshot storage and retrieval, candidate storage, and material risk change handling.
- Ensured tests validate correct behavior for storing, retrieving, and querying snapshots and candidates, including edge cases and expected outcomes.

docs/17_SECURITY_HARDENING_GUIDE.md

@@ -87,7 +87,7 @@ networks:
     driver: bridge
 ```
 
-No dedicated “Redis” or “Mongo” sub‑nets are declared; the single bridge network suffices for the default stack.
+No dedicated "Redis" or "PostgreSQL" sub-nets are declared; the single bridge network suffices for the default stack.
 
 ###  3.2 Kubernetes deployment highlights
 
@@ -101,7 +101,7 @@ Optionally add CosignVerified=true label enforced by an admission controller (e.
 | Plane              | Recommendation                                                             |
 | ------------------ | -------------------------------------------------------------------------- |
 | North‑south        | Terminate TLS 1.2+ (OpenSSL‑GOST default). Use LetsEncrypt or internal CA. |
-| East‑west          | Compose bridge or K8s ClusterIP only; no public Redis/Mongo ports.         |
+| East-west          | Compose bridge or K8s ClusterIP only; no public Redis/PostgreSQL ports.    |
 | Ingress controller | Limit methods to GET, POST, PATCH (no TRACE).                              |
 | Rate‑limits        | 40 rps default; tune ScannerPool.Workers and ingress limit‑req to match.   |