scarson · scarson · Apr 5, 2026 · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -162,7 +162,28 @@ jobs:
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
 
       - name: govulncheck
-        run: govulncheck ./...
+        run: |
+          # Temporary exceptions for unpatched docker/docker vulns (test-only dependency).
+          # GO-2026-4887: AuthZ plugin bypass (daemon-side, not client SDK)
+          # GO-2026-4883: Plugin privilege validation off-by-one (daemon-side)
+          # These affect testcontainers-go's transitive dep, not production code.
+          # Expiry: 2026-07-05 — after this date CI fails to force re-evaluation.
+          EXPIRY="2026-07-05"
+          if [[ "$(date +%Y-%m-%d)" > "$EXPIRY" ]]; then
+            echo "::error::govulncheck exception expired on $EXPIRY — re-evaluate docker/docker vuln status"
+            govulncheck ./...
+            exit 1
+          fi
+          govulncheck ./... 2>&1 | tee /tmp/vulncheck.out || true
+          if grep -q 'Vulnerability #' /tmp/vulncheck.out; then
+            filtered=$(grep 'Vulnerability #' /tmp/vulncheck.out | grep -v 'GO-2026-4887\|GO-2026-4883' || true)
+            if [[ -n "$filtered" ]]; then
+              echo "::error::New vulnerabilities found beyond known exceptions:"
+              echo "$filtered"
+              exit 1
+            fi
+            echo "::warning::Known docker/docker vulns still present — no fix available. Exception expires $EXPIRY."
+          fi
 
   test-web:
     name: "Test: Web"

diff --git a/.gitignore b/.gitignore
@@ -47,6 +47,9 @@ chats/
 # Private journal (personal MCP server data, never shared)
 .private-journal/
 
+# Data (text fixture files, etc.)
+.data/
+
 # Git worktrees
 .worktrees/
 .claude/worktrees/
diff --git a/AGENTS.md b/AGENTS.md
@@ -146,6 +146,13 @@ This is a security product — supply chain risk from unmaintained dependencies
 - YOU MUST NEVER ignore system or test output - logs and messages often contain CRITICAL information.
 - Test output MUST BE PRISTINE TO PASS. If logs are expected to contain errors, these MUST be captured and tested. If a test is intentionally triggering an error, we *must* capture and validate that the error output is as we expect
 
+### Test data seeding
+
+- **`testutil.SeedCorpus(t, db)`** — seeds a test database with 65 real CVEs from 8 feeds (NVD, MITRE, GHSA, OSV, KEV, MSRC, Red Hat, EPSS) via golden fixtures and the real merge pipeline. Requires Docker (testcontainers). Use this for integration tests that need a realistic CVE corpus (alert evaluation, search, reports, watchlists).
+- **Do NOT seed CVE test data with raw SQL inserts** — use `SeedCorpus` or store methods. Raw inserts bypass `material_hash` computation, child table population, and FTS index updates. See `dev/testing-pitfalls.md` §7.
+- **Golden file tests** exist for each feed adapter at `internal/feed/<adapter>/golden_test.go`. They serve captured real API responses via httptest. Do not delete or skip these — they catch upstream schema drift that unit tests with hand-crafted fixtures cannot detect.
+- **When NOT to use `SeedCorpus`:** For unit tests that need a specific CVE shape (e.g., CVSS 0.0, null description, specific CWE), hand-craft the `CanonicalPatch` directly. `SeedCorpus` provides breadth, not targeted edge cases. For adapter unit tests, continue using inline JSON fixtures for precise control over individual fields.
+
 ### Test execution is mandatory — compilation is not verification
 
 - **Tests MUST be executed, not just compiled.** `go build` and `go vet` verify syntax; only `go test` verifies behavior. Code that compiles but was never executed is unverified code.

diff --git a/CLAUDE.md b/CLAUDE.md
@@ -163,6 +163,13 @@ When PRing from a worktree that was created from `main` and merged `dev`:
 - YOU MUST NEVER ignore system or test output - logs and messages often contain CRITICAL information.
 - Test output MUST BE PRISTINE TO PASS. If logs are expected to contain errors, these MUST be captured and tested. If a test is intentionally triggering an error, we *must* capture and validate that the error output is as we expect
 
+### Test data seeding
+
+- **`testutil.SeedCorpus(t, db)`** — seeds a test database with 65 real CVEs from 8 feeds (NVD, MITRE, GHSA, OSV, KEV, MSRC, Red Hat, EPSS) via golden fixtures and the real merge pipeline. Requires Docker (testcontainers). Use this for integration tests that need a realistic CVE corpus (alert evaluation, search, reports, watchlists).
+- **Do NOT seed CVE test data with raw SQL inserts** — use `SeedCorpus` or store methods. Raw inserts bypass `material_hash` computation, child table population, and FTS index updates. See `dev/testing-pitfalls.md` §7.
+- **Golden file tests** exist for each feed adapter at `internal/feed/<adapter>/golden_test.go`. They serve captured real API responses via httptest. Do not delete or skip these — they catch upstream schema drift that unit tests with hand-crafted fixtures cannot detect.
+- **When NOT to use `SeedCorpus`:** For unit tests that need a specific CVE shape (e.g., CVSS 0.0, null description, specific CWE), hand-craft the `CanonicalPatch` directly. `SeedCorpus` provides breadth, not targeted edge cases. For adapter unit tests, continue using inline JSON fixtures for precise control over individual fields.
+
 ### Test execution is mandatory — compilation is not verification
 
 - **Tests MUST be executed, not just compiled.** `go build` and `go vet` verify syntax; only `go test` verifies behavior. Code that compiles but was never executed is unverified code.