fix: create CVE notifications during scan, fix help chat doc loading

Bug fixes:

1. CVE notifications now created during scan pipeline (not just hourly)
   - Previously, notifications were only created by the scheduled
     monitor_cves job. Users with 4 CVE alerts saw 0 notifications.
   - Now the scan pipeline (Stage 3) creates notifications immediately
     when CVE alerts are discovered, with the same dedup logic.

2. Help chat doc context loading fixed for Docker/production
   - Added HELP_DOCS_PATH env var for explicit doc root configuration
   - Added fallback chain: env var → binary location → cwd → Docker paths
   - Dockerfile.agent now copies README.md and docs/ into /app and sets
     HELP_DOCS_PATH=/app so the help chat has doc context in production

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

compliance-agent/src/api/handlers/help_chat.rs

@@ -104,28 +104,58 @@ fn load_docs(root: &Path) -> String {
 
 /// Returns a reference to the cached doc context string, initialised on
 /// first call via `OnceLock`.
+///
+/// Discovery order:
+/// 1. `HELP_DOCS_PATH` env var (explicit override)
+/// 2. Walk up from the binary location
+/// 3. Current working directory
+/// 4. Common Docker paths (/app, /opt/compliance-scanner)
 fn doc_context() -> &'static str {
     DOC_CONTEXT.get_or_init(|| {
+        // 1. Explicit env var
+        if let Ok(path) = std::env::var("HELP_DOCS_PATH") {
+            let p = PathBuf::from(&path);
+            if p.join("README.md").is_file() || p.join("docs").is_dir() {
+                tracing::info!("help_chat: loading docs from HELP_DOCS_PATH={path}");
+                return load_docs(&p);
+            }
+            tracing::warn!("help_chat: HELP_DOCS_PATH={path} has no README.md or docs/");
+        }
+
+        // 2. Walk up from binary location
         let start = std::env::current_exe()
             .ok()
             .and_then(|p| p.parent().map(Path::to_path_buf))
             .unwrap_or_else(|| PathBuf::from("."));
 
-        match find_project_root(&start) {
-            Some(root) => load_docs(&root),
-            None => {
-                // Fallback: try current working directory
-                let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
-                if cwd.join("README.md").is_file() {
-                    return load_docs(&cwd);
-                }
-                tracing::error!(
-                    "help_chat: could not locate project root from {}; doc context will be empty",
-                    start.display()
-                );
-                String::new()
+        if let Some(root) = find_project_root(&start) {
+            return load_docs(&root);
+        }
+
+        // 3. Current working directory
+        if let Ok(cwd) = std::env::current_dir() {
+            if let Some(root) = find_project_root(&cwd) {
+                return load_docs(&root);
+            }
+            if cwd.join("README.md").is_file() {
+                return load_docs(&cwd);
             }
         }
+
+        // 4. Common Docker/deployment paths
+        for candidate in ["/app", "/opt/compliance-scanner", "/srv/compliance-scanner"] {
+            let p = PathBuf::from(candidate);
+            if p.join("README.md").is_file() || p.join("docs").is_dir() {
+                tracing::info!("help_chat: found docs at {candidate}");
+                return load_docs(&p);
+            }
+        }
+
+        tracing::error!(
+            "help_chat: could not locate project root; doc context will be empty. \
+             Set HELP_DOCS_PATH to the directory containing README.md and docs/"
+        );
+        String::new()
     })
 }