feat: hourly CVE alerting with notification bell and API

Implements the full CVE alerting pipeline:

CVE Monitor (scheduler.rs):
- Replaces stub monitor_cves with actual OSV.dev scanning of all SBOM entries
- Runs hourly by default (CVE_MONITOR_SCHEDULE, was daily)
- Creates CveNotification for each new CVE (deduped by cve_id+repo+package)
- Updates SBOM entries with discovered vulnerabilities
- Upserts CveAlert records

Notification Model (compliance-core/models/notification.rs):
- CveNotification with status lifecycle: new → read → dismissed
- NotificationSeverity (Low/Medium/High/Critical) from CVSS scores
- parse_severity helper for OSV/NVD severity mapping

API Endpoints (5 new routes):
- GET /api/v1/notifications — List with status/severity/repo filters
- GET /api/v1/notifications/count — Unread count (for badge)
- PATCH /api/v1/notifications/:id/read — Mark as read
- PATCH /api/v1/notifications/:id/dismiss — Dismiss
- POST /api/v1/notifications/read-all — Bulk mark read

Dashboard Notification Bell:
- Floating bell icon (top-right) with unread count badge
- Dropdown panel showing CVE details: severity, CVSS, package, repo, summary
- Dismiss individual notifications
- Auto-marks as read when panel opens
- Polls count every 30 seconds

Also:
- Fix Dockerfile.dashboard: revert to dioxus-cli 0.7.3 --locked
- Add cve_notifications collection with unique + status indexes
- MongoDB indexes for efficient notification queries

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

compliance-core/src/models/mod.rs

@@ -7,6 +7,7 @@ pub mod finding;
 pub mod graph;
 pub mod issue;
 pub mod mcp;
+pub mod notification;
 pub mod pentest;
 pub mod repository;
 pub mod sbom;
@@ -27,6 +28,7 @@ pub use graph::{
 };
 pub use issue::{IssueStatus, TrackerIssue, TrackerType};
 pub use mcp::{McpServerConfig, McpServerStatus, McpTransport};
+pub use notification::{CveNotification, NotificationSeverity, NotificationStatus};
 pub use pentest::{
     AttackChainNode, AttackNodeStatus, AuthMode, CodeContextHint, Environment, IdentityProvider,
     PentestAuthConfig, PentestConfig, PentestEvent, PentestMessage, PentestSession, PentestStats,

compliance-core/src/models/notification.rs

@@ -0,0 +1,103 @@
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+
+/// Status of a CVE notification
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "lowercase")]
+pub enum NotificationStatus {
+    /// Newly created, not yet seen by the user
+    New,
+    /// User has seen it (e.g., opened the notification panel)
+    Read,
+    /// User has explicitly acknowledged/dismissed it
+    Dismissed,
+}
+
+/// Severity level for notification filtering
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
+#[serde(rename_all = "lowercase")]
+pub enum NotificationSeverity {
+    Low,
+    Medium,
+    High,
+    Critical,
+}
+
+/// A notification about a newly discovered CVE affecting a tracked dependency.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct CveNotification {
+    #[serde(rename = "_id", skip_serializing_if = "Option::is_none")]
+    pub id: Option<bson::oid::ObjectId>,
+    /// The CVE/GHSA identifier
+    pub cve_id: String,
+    /// Repository where the vulnerable dependency is used
+    pub repo_id: String,
+    /// Repository name (denormalized for display)
+    pub repo_name: String,
+    /// Affected package name
+    pub package_name: String,
+    /// Affected version
+    pub package_version: String,
+    /// Human-readable severity
+    pub severity: NotificationSeverity,
+    /// CVSS score if available
+    pub cvss_score: Option<f64>,
+    /// Short summary of the vulnerability
+    pub summary: Option<String>,
+    /// Link to vulnerability details
+    pub url: Option<String>,
+    /// Notification lifecycle status
+    pub status: NotificationStatus,
+    /// When the CVE was first detected for this dependency
+    #[serde(with = "super::serde_helpers::bson_datetime")]
+    pub created_at: DateTime<Utc>,
+    /// When the user last interacted with this notification
+    pub read_at: Option<DateTime<Utc>>,
+}
+
+impl CveNotification {
+    pub fn new(
+        cve_id: String,
+        repo_id: String,
+        repo_name: String,
+        package_name: String,
+        package_version: String,
+        severity: NotificationSeverity,
+    ) -> Self {
+        Self {
+            id: None,
+            cve_id,
+            repo_id,
+            repo_name,
+            package_name,
+            package_version,
+            severity,
+            cvss_score: None,
+            summary: None,
+            url: None,
+            status: NotificationStatus::New,
+            created_at: Utc::now(),
+            read_at: None,
+        }
+    }
+}
+
+/// Map an OSV/NVD severity string to our notification severity
+pub fn parse_severity(s: Option<&str>, cvss: Option<f64>) -> NotificationSeverity {
+    // Prefer CVSS score if available
+    if let Some(score) = cvss {
+        return match score {
+            s if s >= 9.0 => NotificationSeverity::Critical,
+            s if s >= 7.0 => NotificationSeverity::High,
+            s if s >= 4.0 => NotificationSeverity::Medium,
+            _ => NotificationSeverity::Low,
+        };
+    }
+    // Fall back to string severity
+    match s.map(|s| s.to_uppercase()).as_deref() {
+        Some("CRITICAL") => NotificationSeverity::Critical,
+        Some("HIGH") => NotificationSeverity::High,
+        Some("MODERATE" | "MEDIUM") => NotificationSeverity::Medium,
+        _ => NotificationSeverity::Low,
+    }
+}