docs: scaffold vuln parity assets folder and sample placeholders

docs/db/reports/assets/vuln-parity-20251211/README.md

@@ -0,0 +1,8 @@
+This folder holds frozen inputs for the 2025-12-11 Vulnerability parity run (Mongo vs Postgres).
+
+Drop files here and record their SHA256 in the parity report tables:
+- sboms/: SBOM samples
+- advisories/: advisory export subset (10k) if used
+- hashes.sha256: manifest of all files
+
+Do not modify contents once hashes are recorded.

docs/db/reports/assets/vuln-parity-20251211/hashes.sha256

@@ -0,0 +1 @@
+# populate after files are added

docs/db/reports/vuln-parity-sbom-sample-20251209.md

@@ -14,8 +14,10 @@ Use this list for PG-T5b.3–5b.4 parity runs (Mongo vs Postgres). Keep counts d
 | 1 | docs/scripts/sbom-vex/sbom.json | npm | ~95 KB | <fill> | Deterministic compose sample used in sbom-vex proof. |
 | 2 | docs/examples/policies/sample-sbom.json | npm | small | <fill> | Tiny npm sample for quick parity sanity. |
 | 3 | tests/Graph/StellaOps.Graph.Indexer.Tests/Fixtures/v1/sbom-snapshot.json | mixed | <fill> | Graph indexer SBOM snapshot used in tests. |
-| 4 | <add: go> | go | <fill> | TODO: create/store Go SBOM under docs/db/reports/assets/vuln-parity-20251211/. |
-| 5 | <add: pypi/maven/os> | pypi or maven or rpm/deb | <fill> | TODO: add one non-npm ecosystem SBOM for coverage. |
+| 4 | docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json | go | <fill> | To be generated or copied from Go fixture. |
+| 5 | docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json | pypi | <fill> | To be generated or copied from Python fixture. |
+| 6 | docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json | maven | <fill> | To be generated or copied from Maven/Java fixture. |
+| 7 | docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json | rpm/deb | <fill> | Optional OS package SBOM for coverage. |
 
 ## Determinism guardrails
 - Do not change sample set after hashes recorded.