feat: Add initial implementation of Vulnerability Resolver Jobs

- Created project for StellaOps.Scanner.Analyzers.Native.Tests with necessary dependencies. - Documented roles and guidelines in AGENTS.md for Scheduler module. - Implemented IResolverJobService interface and InMemoryResolverJobService for handling resolver jobs. - Added ResolverBacklogNotifier and ResolverBacklogService for monitoring job metrics. - Developed API endpoints for managing resolver jobs and retrieving metrics. - Defined models for resolver job requests and responses. - Integrated dependency injection for resolver job services. - Implemented ImpactIndexSnapshot for persisting impact index data. - Introduced SignalsScoringOptions for configurable scoring weights in reachability scoring. - Added unit tests for ReachabilityScoringService and RuntimeFactsIngestionService. - Created dotnet-filter.sh script to handle command-line arguments for dotnet. - Established nuget-prime project for managing package downloads.
2025-11-18 07:52:15 +02:00
parent e69b57d467
commit 8355e2ff75
299 changed files with 13293 additions and 2444 deletions
--- a/docs/modules/concelier/advisory-ai-api.md
+++ b/docs/modules/concelier/advisory-ai-api.md
@@ -0,0 +1,47 @@
+# Advisory AI API (structured chunks)
+
+**Scope:** `/advisories/{advisoryKey}/chunks` (Concelier WebService) · aligned with Sprint 0112 canonical model.
+
+## Response contract
+
+```jsonc
+{
+  "advisoryKey": "CVE-2025-0001",
+  "fingerprint": "<sha256 canonical advisory>",
+  "total": 3,
+  "truncated": false,
+  "entries": [
+    {
+      "type": "workaround",                  // ordered by (type, observationPath, documentId)
+      "chunkId": "c0ffee12",                // sha256(documentId|observationPath) first 8 bytes
+      "content": { /* structured field payload */ },
+      "provenance": {
+        "documentId": "tenant-a:chunk:newest",   // Observation _id
+        "observationPath": "/references/0",      // JSON Pointer into observation
+        "source": "nvd",
+        "kind": "workaround",
+        "value": "tenant-a:chunk:newest",
+        "recordedAt": "2025-01-07T00:00:00Z",
+        "fieldMask": ["/references/0"]
+      }
+    }
+  ]
+}
+```
+
+### Determinism & provenance
+
+- Sort entries by `(type, observationPath, documentId)` to keep cache keys stable across nodes.
+- Cache keys include the advisory `fingerprint`, chunk/observation limits, filters, and observation hashes.
+- Provenance anchors must always include both `documentId` and `observationPath` for Console/Attestor deep links and offline mirrors.
+
+### Query parameters
+
+- `tenant` (required): tenant id; must match authorization context.
+- `limit`, `observations`, `minLength`: bounded integers (see `ConcelierOptions.AdvisoryChunks`).
+- `section`, `format`: comma-separated filters (case-insensitive).
+
+### Compatibility notes
+
+- Mirrors and offline kits rely on `fingerprint` + `chunkId` to verify chunks without re-merging observations.
+- Field names mirror GHSA GraphQL and Cisco PSIRT openVuln payloads for downstream parity.
--- a/docs/modules/concelier/link-not-merge-schema.md
+++ b/docs/modules/concelier/link-not-merge-schema.md
@@ -1,12 +1,15 @@
 # Link-Not-Merge (LNM) Observation & Linkset Schema

-_Draft for approval — authored 2025-11-16 to unblock CONCELIER-LNM tracks._
+_Frozen v1 (add-only) — approved 2025-11-17 for CONCELIER-LNM-21-001/002/101._

 ## Goals
 - Immutable storage of raw advisory observations per source/tenant.
 - Deterministic linksets built from observations without merging or mutating originals.
 - Stable across online/offline deployments; replayable from raw inputs.

+## Status
+- Frozen v1 as of 2025-11-17; further schema changes must go through ADR + sprint gating (CONCELIER-LNM-22x+).
+
 ## Observation document (Mongo JSON Schema excerpt)
 ```json
 {
@@ -41,6 +44,17 @@ _Draft for approval — authored 2025-11-16 to unblock CONCELIER-LNM tracks._
      }
    },
    "references": {"bsonType": "array", "items": {"bsonType":"string"}},
+    "scopes": {"bsonType":"array","items":{"bsonType":"string"}},
+    "relationships": {
+      "bsonType": "array",
+      "items": {"bsonType":"object","required":["type","source","target"],
+        "properties": {
+          "type":{"bsonType":"string"},
+          "source":{"bsonType":"string"},
+          "target":{"bsonType":"string"},
+          "provenance":{"bsonType":"string"}
+        }}
+    },
    "weaknesses": {"bsonType":"array","items":{"bsonType":"string"}},
    "published": {"bsonType": "date"},
    "modified": {"bsonType": "date"},
@@ -84,6 +98,14 @@ _Draft for approval — authored 2025-11-16 to unblock CONCELIER-LNM tracks._
        "severities": {"bsonType":"array","items":{"bsonType":"object"}}
      }
    },
+    "confidence": {"bsonType":"double", "description":"Optional correlation confidence (0–1)"},
+    "conflicts": {"bsonType":"array","items":{"bsonType":"object",
+      "required":["field","reason"],
+      "properties":{
+        "field":{"bsonType":"string"},
+        "reason":{"bsonType":"string"},
+        "values":{"bsonType":"array","items":{"bsonType":"string"}}
+      }}},
    "createdAt":{"bsonType":"date"},
    "builtByJobId":{"bsonType":"string"},
    "provenance": {"bsonType":"object","properties":{