feat: Implement approvals workflow and notifications integration

- Added approvals orchestration with persistence and workflow scaffolding. - Integrated notifications insights and staged resume hooks. - Introduced approval coordinator and policy notification bridge with unit tests. - Added approval decision API with resume requeue and persisted plan snapshots. - Documented the Excitor consensus API beta and provided JSON sample payload. - Created analyzers to flag usage of deprecated merge service APIs. - Implemented logging for artifact uploads and approval decision service. - Added tests for PackRunApprovalDecisionService and related components.
2025-11-06 08:48:13 +02:00
parent 21a2759412
commit dd217b4546
98 changed files with 3883 additions and 2381 deletions
--- a/docs/vex/consensus-json.md
+++ b/docs/vex/consensus-json.md
@@ -0,0 +1,34 @@
+# Excitor consensus JSON sample (beta)
+
+```jsonc
+{
+  "vulnId": "CVE-2025-12345",
+  "productKey": "pkg:maven/org.apache.commons/commons-text@1.11.0",
+  "rollupStatus": "NOT_AFFECTED",
+  "sources": [
+    {
+      "providerId": "redhat",
+      "status": "NOT_AFFECTED",
+      "justification": "component_not_present",
+      "weight": 0.62,
+      "lastObserved": "2025-11-04T18:22:31Z",
+      "accepted": true,
+      "reason": "trust-tier vendor, signed OpenVEX"
+    },
+    {
+      "providerId": "github",
+      "status": "AFFECTED",
+      "justification": null,
+      "weight": 0.27,
+      "lastObserved": "2025-11-05T01:12:03Z",
+      "accepted": false,
+      "reason": "lower trust tier and stale statement"
+    }
+  ],
+  "policyRevisionId": "vex-consensus-policy@2025-11-05",
+  "evaluatedAt": "2025-11-05T02:05:14Z",
+  "consensusDigest": "sha256:41f2d96728b24f7a8b7f1251983b8edccd1e0f5781d4a51e51c8e6b20c1fa31a"
+}
+```
+
+> **Note:** This payload is generated from the beta consensus endpoint and is subject to change prior to GA. Keys and semantics are documented alongside API previews in `docs/modules/excitor/README.md`.