[codex] Add local-first vulnerability research (#93)

* Add local-first vulnerability research

* Refresh GitNexus index metadata

* Address local research review feedback

* Address vulnerability research review feedback

Author: FrodeHus

AGENTS.md

@@ -89,7 +89,7 @@ Canonical entities must enforce EF max-length caps and FK `Guid` validity at the
 <!-- gitnexus:start -->
 # GitNexus — Code Intelligence
 
-This project is indexed by GitNexus as **PatchHound** (11164 symbols, 92808 relationships, 300 execution flows). Use the GitNexus MCP tools to understand code, assess impact, and navigate safely.
+This project is indexed by GitNexus as **PatchHound** (11435 symbols, 97109 relationships, 300 execution flows). Use the GitNexus MCP tools to understand code, assess impact, and navigate safely.
 
 > If any GitNexus tool warns the index is stale, run `npx gitnexus analyze` in terminal first.
 

CLAUDE.md

@@ -89,7 +89,7 @@ Canonical entities must enforce EF max-length caps and FK `Guid` validity at the
 <!-- gitnexus:start -->
 # GitNexus — Code Intelligence
 
-This project is indexed by GitNexus as **PatchHound** (11164 symbols, 92808 relationships, 300 execution flows). Use the GitNexus MCP tools to understand code, assess impact, and navigate safely.
+This project is indexed by GitNexus as **PatchHound** (11435 symbols, 97109 relationships, 300 execution flows). Use the GitNexus MCP tools to understand code, assess impact, and navigate safely.
 
 > If any GitNexus tool warns the index is stale, run `npx gitnexus analyze` in terminal first.
 

frontend/src/api/ai-settings.schemas.ts

@@ -47,7 +47,7 @@ export const saveTenantAiProfileSchema = z.object({
   apiVersion: z.string(),
   keepAlive: z.string(),
   allowExternalResearch: z.boolean(),
-  webResearchMode: z.enum(['Disabled', 'ProviderNative', 'PatchHoundManaged']),
+  webResearchMode: z.enum(['Disabled', 'ProviderNative', 'PatchHoundManaged', 'LocalVulnerabilityIntel']),
   includeCitations: z.boolean(),
   maxResearchSources: z.number().int().positive(),
   allowedDomains: z.string(),

frontend/src/components/features/settings/TenantAiSettingsPage.tsx

@@ -893,7 +893,7 @@ function AiProfileEditorPage({
                   <div className="space-y-1">
                     <span className="text-sm font-medium text-foreground">Allow external web research</span>
                     <p className="text-sm text-muted-foreground">
-                      Use recent external context when supported by the provider or by PatchHound-managed research.
+                      Use recent external context when supported by the provider or by PatchHound-managed research. Vulnerability assessments always use local PatchHound intel first.
                     </p>
                   </div>
                 </label>
@@ -917,9 +917,19 @@ function AiProfileEditorPage({
                           {draft.providerType === 'OpenAi' ? (
                             <SelectItem value="ProviderNative">Provider native</SelectItem>
                           ) : null}
+                          <SelectItem value="LocalVulnerabilityIntel">Local vulnerability intel</SelectItem>
                           <SelectItem value="PatchHoundManaged">PatchHound managed</SelectItem>
                         </SelectContent>
                       </Select>
+                      {draft.webResearchMode === 'PatchHoundManaged' ? (
+                        <p className="mt-2 text-xs leading-5 text-muted-foreground">
+                          PatchHound-managed external research sends search queries and fetched public pages through the configured research service.
+                        </p>
+                      ) : draft.webResearchMode === 'LocalVulnerabilityIntel' ? (
+                        <p className="mt-2 text-xs leading-5 text-muted-foreground">
+                          Local vulnerability intel uses PatchHound and NVD cache data only. It does not perform external HTTP research.
+                        </p>
+                      ) : null}
                     </Field>
 
                     <Field label="Max research sources" tooltip="Upper bound for external sources added to the research context.">

src/PatchHound.Api/appsettings.Development.json

@@ -10,5 +10,8 @@
   },
   "ConnectionStrings": {
     "PatchHound": ""
+  },
+  "AiResearch": {
+    "JinaSearchProvider": "Google"
   }
 }

src/PatchHound.Api/appsettings.json

@@ -27,6 +27,9 @@
   "Frontend": {
     "Origin": "http://localhost:5173"
   },
+  "AiResearch": {
+    "JinaSearchProvider": "Google"
+  },
   "FeatureManagement": {
     "Workflows": true,
     "AuthenticatedScans": true

src/PatchHound.Core/Enums/AiResearchProviderKind.cs

@@ -0,0 +1,7 @@
+namespace PatchHound.Core.Enums;
+
+public enum AiResearchProviderKind
+{
+    ExternalWebSearch = 0,
+    LocalVulnerabilityIntel = 1,
+}

src/PatchHound.Core/Enums/TenantAiWebResearchMode.cs

@@ -5,4 +5,5 @@ public enum TenantAiWebResearchMode
     Disabled = 0,
     ProviderNative = 1,
     PatchHoundManaged = 2,
+    LocalVulnerabilityIntel = 3,
 }

src/PatchHound.Core/Models/AiWebResearchRequest.cs

@@ -1,8 +1,12 @@
+using PatchHound.Core.Enums;
+
 namespace PatchHound.Core.Models;
 
 public record AiWebResearchRequest(
     string Query,
     IReadOnlyList<string> AllowedDomains,
     int MaxSources,
-    bool IncludeCitations
+    bool IncludeCitations,
+    IReadOnlyList<Guid>? VulnerabilityIds = null,
+    IReadOnlyList<AiResearchProviderKind>? Providers = null
 );

src/PatchHound.Infrastructure/DependencyInjection.cs

@@ -128,8 +128,11 @@ void ConfigureDbContext(IServiceProvider sp, DbContextOptionsBuilder options) =>
         services.AddScoped<ExecutiveDashboardBriefingService>();
         services.AddScoped<IRiskChangeBriefAiSummaryService, RiskChangeBriefAiSummaryService>();
         services.AddScoped<ITenantAiConfigurationResolver, TenantAiConfigurationResolver>();
+        services.Configure<AiResearchOptions>(configuration.GetSection(AiResearchOptions.SectionName));
+        services.AddScoped<LocalVulnerabilityIntelResearchProvider>();
+        services.AddScoped<ITenantAiResearchService, TenantAiResearchService>();
         services
-            .AddHttpClient<ITenantAiResearchService, TenantAiResearchService>()
+            .AddHttpClient<ExternalWebSearchResearchProvider>()
             .AddExternalHttpPolicies(maxConnectionsPerServer: 2);
         services.AddScoped<ISetupService, SetupService>();
         services.AddScoped<EnvironmentalSeverityCalculator>();