feat: Implement approvals workflow and notifications integration

- Added approvals orchestration with persistence and workflow scaffolding.
- Integrated notifications insights and staged resume hooks.
- Introduced approval coordinator and policy notification bridge with unit tests.
- Added approval decision API with resume requeue and persisted plan snapshots.
- Documented the Excitor consensus API beta and provided JSON sample payload.
- Created analyzers to flag usage of deprecated merge service APIs.
- Implemented logging for artifact uploads and approval decision service.
- Added tests for PackRunApprovalDecisionService and related components.

src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Linksets/AdvisoryObservationFactoryTests.cs

@@ -13,11 +13,11 @@ public sealed class AdvisoryObservationFactoryTests
     private static readonly DateTimeOffset SampleTimestamp = DateTimeOffset.Parse("2025-10-26T12:34:56Z");
 
     [Fact]
-    public void Create_NormalizesLinksetIdentifiersAndReferences()
-    {
-        var factory = new AdvisoryObservationFactory();
-        var rawDocument = BuildRawDocument(
-            identifiers: new RawIdentifiers(
+    public void Create_PreservesLinksetOrderAndDuplicates()
+    {
+        var factory = new AdvisoryObservationFactory();
+        var rawDocument = BuildRawDocument(
+            identifiers: new RawIdentifiers(
                 Aliases: ImmutableArray.Create("  CVE-2025-0001 ", "ghsa-XXXX-YYYY"),
                 PrimaryId: "GHSA-XXXX-YYYY"),
             linkset: new RawLinkset
@@ -29,16 +29,27 @@ public sealed class AdvisoryObservationFactoryTests
                     new RawReference("Advisory", " https://example.test/advisory "),
                     new RawReference("ADVISORY", "https://example.test/advisory"))
             });
-
-        var observation = factory.Create(rawDocument, SampleTimestamp);
-
-        Assert.Equal(SampleTimestamp, observation.CreatedAt);
-        Assert.Equal(new[] { "cve-2025-0001", "ghsa-xxxx-yyyy" }, observation.Linkset.Aliases);
-        Assert.Equal(new[] { "pkg:npm/left-pad@1.0.0" }, observation.Linkset.Purls);
-        Assert.Equal(new[] { "cpe:2.3:a:example:product:1.0:*:*:*:*:*:*:*" }, observation.Linkset.Cpes);
-        var reference = Assert.Single(observation.Linkset.References);
-        Assert.Equal("advisory", reference.Type);
-        Assert.Equal("https://example.test/advisory", reference.Url);
+
+        var observation = factory.Create(rawDocument, SampleTimestamp);
+
+        Assert.Equal(SampleTimestamp, observation.CreatedAt);
+        Assert.Equal(
+            new[] { "GHSA-XXXX-YYYY", "CVE-2025-0001", "ghsa-XXXX-YYYY", "CVE-2025-0001" },
+            observation.Linkset.Aliases);
+        Assert.Equal(
+            new[] { "pkg:NPM/left-pad@1.0.0", "pkg:npm/left-pad@1.0.0?foo=bar" },
+            observation.Linkset.Purls);
+        Assert.Equal(
+            new[] { "cpe:/a:Example:Product:1.0", "cpe:/a:example:product:1.0" },
+            observation.Linkset.Cpes);
+        Assert.Equal(2, observation.Linkset.References.Length);
+        Assert.All(
+            observation.Linkset.References,
+            reference =>
+            {
+                Assert.Equal("advisory", reference.Type);
+                Assert.Equal("https://example.test/advisory", reference.Url);
+            });
 
         Assert.Equal(
             new[] { "GHSA-XXXX-YYYY", "  CVE-2025-0001 ", "ghsa-XXXX-YYYY", "   CVE-2025-0001   " },

src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Observations/AdvisoryObservationQueryServiceTests.cs

@@ -1,3 +1,4 @@
+using System;
 using System.Collections.Immutable;
 using System.Linq;
 using System.Text.Json.Nodes;
@@ -52,9 +53,9 @@ public sealed class AdvisoryObservationQueryServiceTests
         Assert.Equal("tenant-a:osv:beta:1", result.Observations[0].ObservationId);
         Assert.Equal("tenant-a:ghsa:alpha:1", result.Observations[1].ObservationId);
 
-        Assert.Equal(
-            new[] { "cve-2025-0001", "cve-2025-0002", "ghsa-xyzz" },
-            result.Linkset.Aliases);
+        Assert.Equal(
+            new[] { "CVE-2025-0001", "CVE-2025-0002", "GHSA-xyzz" },
+            result.Linkset.Aliases);
 
         Assert.Equal(
             new[] { "pkg:npm/package-a@1.0.0", "pkg:pypi/package-b@2.0.0" },
@@ -103,8 +104,11 @@ public sealed class AdvisoryObservationQueryServiceTests
             CancellationToken.None);
 
         Assert.Equal(2, result.Observations.Length);
-        Assert.All(result.Observations, observation =>
-            Assert.Contains(observation.Linkset.Aliases, alias => alias is "cve-2025-0001" or "cve-2025-9999"));
+        Assert.All(result.Observations, observation =>
+            Assert.Contains(
+                observation.Linkset.Aliases,
+                alias => alias.Equals("CVE-2025-0001", StringComparison.OrdinalIgnoreCase)
+                    || alias.Equals("CVE-2025-9999", StringComparison.OrdinalIgnoreCase)));
 
         Assert.False(result.HasMore);
         Assert.Null(result.NextCursor);

src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj

@@ -10,5 +10,8 @@
     <ProjectReference Include="../../__Libraries/StellaOps.Concelier.Storage.Mongo/StellaOps.Concelier.Storage.Mongo.csproj" />
     <ProjectReference Include="../../StellaOps.Concelier.WebService/StellaOps.Concelier.WebService.csproj" />
     <ProjectReference Include="../../../__Libraries/StellaOps.Plugin/StellaOps.Plugin.csproj" />
+    <ProjectReference Include="../../__Analyzers/StellaOps.Concelier.Analyzers/StellaOps.Concelier.Analyzers.csproj"
+                      OutputItemType="Analyzer"
+                      ReferenceOutputAssembly="false" />
   </ItemGroup>
-</Project>
+</Project>

src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/WebServiceEndpointsTests.cs

@@ -221,7 +221,7 @@ public sealed class WebServiceEndpointsTests : IAsyncLifetime
         Assert.NotNull(ingestResponse.Headers.Location);
         var locationValue = ingestResponse.Headers.Location!.ToString();
         Assert.False(string.IsNullOrWhiteSpace(locationValue));
-        var lastSlashIndex = locationValue.LastIndexOf('/', StringComparison.Ordinal);
+        var lastSlashIndex = locationValue.LastIndexOf('/');
         var idSegment = lastSlashIndex >= 0
             ? locationValue[(lastSlashIndex + 1)..]
             : locationValue;
@@ -886,15 +886,61 @@ public sealed class WebServiceEndpointsTests : IAsyncLifetime
         var limitedResponse = await client.GetAsync("/concelier/exports/index.json");
         Assert.Equal((HttpStatusCode)429, limitedResponse.StatusCode);
         Assert.NotNull(limitedResponse.Headers.RetryAfter);
-        Assert.True(limitedResponse.Headers.RetryAfter!.Delta.HasValue);
-        Assert.True(limitedResponse.Headers.RetryAfter!.Delta!.Value.TotalSeconds > 0);
-    }
-
-
-    [Fact]
-    public async Task JobsEndpointsAllowBypassWhenAuthorityEnabled()
-    {
-        var environment = new Dictionary<string, string?>
+        Assert.True(limitedResponse.Headers.RetryAfter!.Delta.HasValue);
+        Assert.True(limitedResponse.Headers.RetryAfter!.Delta!.Value.TotalSeconds > 0);
+    }
+
+    [Fact]
+    public void MergeModuleDisabledWhenFeatureFlagEnabled()
+    {
+        var environment = new Dictionary<string, string?>
+        {
+            ["CONCELIER_FEATURES__NOMERGEENABLED"] = "true"
+        };
+
+        using var factory = new ConcelierApplicationFactory(
+            _runner.ConnectionString,
+            authorityConfigure: null,
+            environmentOverrides: environment);
+        using var scope = factory.Services.CreateScope();
+        var provider = scope.ServiceProvider;
+
+#pragma warning disable CS0618, CONCELIER0001, CONCELIER0002 // Checking deprecated service registration state.
+        Assert.Null(provider.GetService<AdvisoryMergeService>());
+#pragma warning restore CS0618, CONCELIER0001, CONCELIER0002
+
+        var schedulerOptions = provider.GetRequiredService<IOptions<JobSchedulerOptions>>().Value;
+        Assert.DoesNotContain("merge:reconcile", schedulerOptions.Definitions.Keys);
+    }
+
+    [Fact]
+    public void MergeJobRemainsWhenAllowlisted()
+    {
+        var environment = new Dictionary<string, string?>
+        {
+            ["CONCELIER_FEATURES__MERGEJOBALLOWLIST__0"] = "merge:reconcile"
+        };
+
+        using var factory = new ConcelierApplicationFactory(
+            _runner.ConnectionString,
+            authorityConfigure: null,
+            environmentOverrides: environment);
+        using var scope = factory.Services.CreateScope();
+        var provider = scope.ServiceProvider;
+
+#pragma warning disable CS0618, CONCELIER0001, CONCELIER0002 // Checking deprecated service registration state.
+        Assert.NotNull(provider.GetService<AdvisoryMergeService>());
+#pragma warning restore CS0618, CONCELIER0001, CONCELIER0002
+
+        var schedulerOptions = provider.GetRequiredService<IOptions<JobSchedulerOptions>>().Value;
+        Assert.Contains("merge:reconcile", schedulerOptions.Definitions.Keys);
+    }
+
+
+    [Fact]
+    public async Task JobsEndpointsAllowBypassWhenAuthorityEnabled()
+    {
+        var environment = new Dictionary<string, string?>
         {
             ["CONCELIER_AUTHORITY__ENABLED"] = "true",
             ["CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK"] = "false",