Replace ConcurrentDictionary-based in-memory stores (VexDecisionStore,
FixVerificationStore, AuditBundleStore) with Postgres-backed repositories
that persist VEX decisions, fix verifications, and audit bundles to the
findings schema. The stores auto-detect NpgsqlDataSource availability and
fall back to in-memory mode for tests/offline.
Changes:
- Add migration 010_vex_fix_audit_tables.sql creating vex_decisions,
fix_verifications, and audit_bundles tables (partitioned by tenant_id)
- Rewrite VexDecisionStore with dual-mode: Postgres when ConnectionStrings__Default
is configured, ConcurrentDictionary otherwise (backwards-compatible for tests)
- Rewrite FixVerificationStore and AuditBundleStore with same dual-mode pattern
- Wire NpgsqlDataSource in Program.cs from ConnectionStrings__Default
- Add /api/vuln-explorer/findings/{vulnId}/evidence-subgraph route alias to
match what the Angular UI (EvidenceSubgraphService) actually calls -- the
gateway forwards this path as-is to the service
- Convert all endpoint handlers to async to use the new Postgres-backed methods
- Add Npgsql PackageReference to VulnExplorer.Api.csproj
- Add VulnExplorerRepositories.cs placeholder in Findings.Ledger.WebService
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce SecurityVulnerabilityEndpoints, VulnerabilityDetailService,
and supporting contracts for the vulnerability detail page backend.
Includes integration tests for the new endpoints.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extract connection string building into PostgresConnectionStringPolicy so all
services use consistent pooling, application_name, and timeout settings.
Adopt the new policy in 20+ module DataSource/ServiceCollectionExtensions classes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sprint: SPRINT_20251229_049_BE_csproj_audit_maint_tests
Tasks: AUDIT-0001 through AUDIT-0147 APPLY tasks (approved decisions 1-9)
Changes:
- Set TreatWarningsAsErrors=true for all production .NET projects
- Fixed nullable warnings in Scanner.EntryTrace, Scanner.Evidence,
Scheduler.Worker, Concelier connectors, and other modules
- Injected TimeProvider/IGuidProvider for deterministic time/ID generation
- Added path traversal validation in AirGap.Bundle
- Fixed NULL handling in various cursor classes
- Third-party GostCryptography retains TreatWarningsAsErrors=false (preserves original)
- Test projects excluded per user decision (rejected decision 10)
Note: All 17 ACSC connector tests pass after snapshot fixture sync
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering.
- Created helper methods for generating sample verdict inputs and computing canonical hashes.
- Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics.
- Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
