# Backport-Aware Advisory Deduplication with Provenance Scope

## Module
Concelier

## Status
VERIFIED

## Description
Enhances canonical advisory deduplication to be backport-aware. Same CVE with different backport status produces correctly differentiated canonicals. Includes provenance_scope tracking, configurable vendor vs. distro precedence lattice, and patch lineage normalization for merge_hash computation.

## Implementation Details
- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Merge/`, `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/`
- **Key Classes**:
  - `MergeHashCalculator` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/MergeHashCalculator.cs`) - merge hash computation with backport-aware normalization
  - `MergeHashBackfillService` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Services/MergeHashBackfillService.cs`) - backfills merge hashes for existing advisories
  - `MergeHashBackfillJob` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Jobs/MergeHashBackfillJob.cs`) - scheduled job for merge hash backfill
  - `MergeHashShadowWriteService` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/MergeHashShadowWriteService.cs`) - shadow writes for merge hash validation
  - `ProvenanceScopeService` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Backport/ProvenanceScopeService.cs`) - provenance scope tracking and management
  - `ProvenanceScopeRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/ProvenanceScopeRepository.cs`) - PostgreSQL persistence for provenance scopes
  - `ProvenanceScopeEntity` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Models/ProvenanceScopeEntity.cs`) - database entity for provenance scope
  - `PostgresProvenanceScopeStore` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/PostgresProvenanceScopeStore.cs`) - store implementation
- **Interfaces**: `IMergeHashCalculator`, `IProvenanceScopeService`, `IProvenanceScopeRepository`
- **Source**: SPRINT_8200_0015_0001_CONCEL_backport_integration.md

## E2E Test Plan
- [ ] Ingest same CVE with different backport status (patched vs unpatched) from two distros and verify they produce distinct canonical advisories
- [ ] Verify `MergeHashCalculator` differentiates merge hashes when backport status differs for the same CVE
- [ ] Verify `ProvenanceScopeService` correctly tracks which provenance scope each canonical belongs to
- [ ] Verify vendor vs. distro precedence: when vendor says "not affected" but distro says "patched", verify the precedence lattice resolves correctly
- [ ] Verify `MergeHashBackfillService` can retroactively update merge hashes for pre-existing advisories