feat(graph): introduce graph.inspect.v1 contract and schema for SBOM relationships

- Added graph.inspect.v1 documentation outlining payload structure and determinism rules.
- Created JSON schema for graph.inspect.v1 to enforce payload validation.
- Defined mapping rules for graph relationships, advisories, and VEX statements.

feat(notifications): establish remediation blueprint for gaps NR1-NR10

- Documented requirements, evidence, and tests for Notifier runtime.
- Specified deliverables and next steps for addressing identified gaps.

docs(notifications): organize operations and schemas documentation

- Created README files for operations, schemas, and security notes to clarify deliverables and policies.

feat(advisory): implement PostgreSQL caching for Link-Not-Merge linksets

- Created database schema for advisory linkset cache.
- Developed repository for managing advisory linkset cache operations.
- Added tests to ensure correct functionality of the AdvisoryLinksetCacheRepository.

docs/modules/export-center/api.md

@@ -16,7 +16,8 @@ This reference describes the Export Center API introduced in Export Center Phase
   - `export:download` for bundle downloads and manifests.
 - **Tenant context:** Provide `X-Stella-Tenant` when the token carries multiple tenants; defaults to token tenant otherwise.
 - **Idempotency:** Mutating endpoints accept `Idempotency-Key` (UUID). Retrying with the same key returns the original result.
-- **Rate limits and quotas:** Responses include `X-Stella-Quota-Limit`, `X-Stella-Quota-Remaining`, and `X-Stella-Quota-Reset`. Exceeding quotas returns `429 Too Many Requests` with `ERR_EXPORT_QUOTA`.
+- **Rate limits and quotas:** Responses include `X-Stella-Quota-Limit`, `X-Stella-Quota-Remaining`, and `X-Stella-Quota-Reset`. Exceeding quotas returns `429 Too Many Requests` with `ERR_EXPORT_QUOTA`.
+- **Integrity headers (downloads):** `Digest: sha-256=<base64>`, `X-Stella-Signature: dsse-b64=<payload>`, and `X-Stella-Immutability: true` accompany bundle/manifest downloads; clients must validate before use.
 - **Content negotiation:** Requests and responses use `application/json; charset=utf-8` unless otherwise stated. Downloads stream binary content with profile-specific media types.
 - **SSE:** Event streams set `Content-Type: text/event-stream` and keep connections alive with comment heartbeats every 15 seconds.
 
@@ -100,21 +101,29 @@ Scopes: export:profile:manage
 **Request**
 
 ```json
-{
-  "profileId": "prof-airgap-mirror",
-  "name": "Airgap Mirror Weekly",
-  "kind": "mirror",
-  "variant": "full",
-  "include": ["advisories", "vex", "sboms", "policy"],
-  "distribution": ["http", "object"],
-  "encryption": {
-    "enabled": true,
-    "recipientKeys": ["age1tenantkey..."],
-    "strict": false
-  },
-  "retention": {"mode": "days", "value": 30}
-}
-```
+{  
+  "profileId": "prof-airgap-mirror",
+  "name": "Airgap Mirror Weekly",
+  "kind": "mirror",
+  "variant": "full",
+  "include": ["advisories", "vex", "sboms", "policy"],
+  "distribution": ["http", "object"],
+  "encryption": {
+    "enabled": true,
+    "recipientKeys": ["age1tenantkey..."],
+    "strict": false
+  },
+  "retention": {"mode": "days", "value": 30},
+  "limits": {
+    "maxActiveRuns": 4,
+    "maxQueuedRuns": 50,
+    "backpressureMode": "reject"
+  },
+  "approval": {
+    "required": false
+  }
+}
+```
 
 **Response 201**
 
@@ -183,16 +192,24 @@ Scopes: export:run
 {
   "runId": "run-20251029-01",
   "status": "pending",
-  "profileId": "prof-json-raw",
-  "createdAt": "2025-10-29T12:12:11Z",
-  "createdBy": "user:ops",
-  "selectors": { "...": "..." },
-  "links": {
-    "self": "/api/export/runs/run-20251029-01",
-    "events": "/api/export/runs/run-20251029-01/events"
-  }
-}
-```
+  "profileId": "prof-json-raw",
+  "createdAt": "2025-10-29T12:12:11Z",
+  "createdBy": "user:ops",
+  "selectors": { "...": "..." },
+  "links": {
+    "self": "/api/export/runs/run-20251029-01",
+    "events": "/api/export/runs/run-20251029-01/events"
+  },
+  "quotas": {
+    "maxActiveRuns": 4,
+    "maxQueuedRuns": 50,
+    "backpressureMode": "reject"
+  },
+  "approval": {
+    "required": false
+  }
+}
+```
 
 ### 4.2 List runs
 
@@ -214,11 +231,15 @@ Response fields:
 
 | Field | Description |
 |-------|-------------|
-| `status` | `pending`, `running`, `success`, `failed`, `canceled`. |
-| `progress` | Object with `adapters`, `bytesWritten`, `recordsProcessed`. |
-| `errorCode` | Populated when `status=failed` (`signing`, `distribution`, etc). |
-| `policySnapshotId` | Returned for policy-aware profiles. |
-| `distributions` | List of available distribution descriptors (type, location, sha256, expiresAt). |
+| `status` | `pending`, `running`, `success`, `failed`, `canceled`. |
+| `progress` | Object with `adapters`, `bytesWritten`, `recordsProcessed`. |
+| `errorCode` | Populated when `status=failed` (`signing`, `distribution`, etc). |
+| `policySnapshotId` | Returned for policy-aware profiles. |
+| `distributions` | List of available distribution descriptors (type, location, sha256, expiresAt). |
+| `rerunHash` | SHA-256 over sorted `contents[*].digest`; used for determinism checks. |
+| `integrity` | Expected HTTP headers (`Digest`, `X-Stella-Signature`, `X-Stella-Immutability`) and OCI annotations (`io.stellaops.export.*`). |
+| `quotas` | Active limits/backpressure settings returned with the run. |
+| `approval` | Cross-tenant approval ticket when selectors span multiple tenants/wildcards. |
 
 ### 4.4 Cancel a run
 
@@ -273,14 +294,16 @@ GET /api/export/runs/{runId}/download
 Scopes: export:download
 ```
 
-Streams the primary bundle (tarball, zip, or profile-specific layout). Headers:
-
-- `Content-Disposition: attachment; filename="export-run-20251029-01.tar.zst"`
-- `X-Export-Digest: sha256:...`
-- `X-Export-Size: 73482019`
-- `X-Export-Encryption: age` (when mirror encryption enabled)
-
-Supports HTTP range requests for resume functionality. If no bundle exists yet, responds `409` with `ERR_EXPORT_007`.
+Streams the primary bundle (tarball, zip, or profile-specific layout). Headers:
+
+- `Content-Disposition: attachment; filename="export-run-20251029-01.tar.zst"`
+- `Digest: sha-256=<base64>` (EC5)
+- `X-Stella-Signature: dsse-b64:<payload>` (EC3/EC5)
+- `X-Stella-Immutability: true`
+- `X-Export-Size: 73482019`
+- `X-Export-Encryption: age` (when mirror encryption enabled)
+
+Supports HTTP range requests for resume functionality. If no bundle exists yet, responds `409` with `ERR_EXPORT_007`.
 
 ### 6.2 Manifest download
 
@@ -289,7 +312,8 @@ GET /api/export/runs/{runId}/manifest
 Scopes: export:download
 ```
 
-Returns signed `export.json`. To fetch the detached signature, append `?signature=true`.
+Returns signed `export.json`. To fetch the detached signature, append `?signature=true`.
+- Integrity annotations are mirrored in response headers (`Digest`, `X-Stella-Signature`, `X-Stella-Immutability`) and in the manifest `integrity` block to keep rerun-hash deterministic.
 
 ### 6.3 Provenance download
 
@@ -298,7 +322,7 @@ GET /api/export/runs/{runId}/provenance
 Scopes: export:download
 ```
 
-Returns signed `provenance.json`. Supports `?signature=true`. Provenance includes attestation subject digests, policy snapshot ids, adapter versions, and KMS key identifiers.
+Returns signed `provenance.json`. Supports `?signature=true`. Provenance includes attestation subject digests, policy snapshot ids, adapter versions, and KMS key identifiers.
 
 ### 6.4 Distribution descriptors