diff --git a/frontend/src/api/ai-settings.schemas.ts b/frontend/src/api/ai-settings.schemas.ts
index 9b182cce..09631203 100644
--- a/frontend/src/api/ai-settings.schemas.ts
+++ b/frontend/src/api/ai-settings.schemas.ts
@@ -19,6 +19,7 @@ export const tenantAiProfileSchema = z.object({
   keepAlive: z.string(),
   allowExternalResearch: z.boolean(),
   webResearchMode: z.string(),
+  researchSourceKey: z.string(),
   includeCitations: z.boolean(),
   maxResearchSources: z.number(),
   allowedDomains: z.string(),
@@ -48,6 +49,7 @@ export const saveTenantAiProfileSchema = z.object({
   keepAlive: z.string(),
   allowExternalResearch: z.boolean(),
   webResearchMode: z.enum(['Disabled', 'ProviderNative', 'PatchHoundManaged', 'LocalVulnerabilityIntel']),
+  researchSourceKey: z.string(),
   includeCitations: z.boolean(),
   maxResearchSources: z.number().int().positive(),
   allowedDomains: z.string(),
diff --git a/frontend/src/components/features/admin/GlobalEnrichmentSourceManagement.test.tsx b/frontend/src/components/features/admin/GlobalEnrichmentSourceManagement.test.tsx
index 6c61baae..039c1d43 100644
--- a/frontend/src/components/features/admin/GlobalEnrichmentSourceManagement.test.tsx
+++ b/frontend/src/components/features/admin/GlobalEnrichmentSourceManagement.test.tsx
@@ -43,7 +43,9 @@ const nvdSource: EnrichmentSource = {
   displayName: 'NVD API',
   enabled: true,
   credentialMode: 'no-credential',
+  targets: ['Scheduled'],
   refreshTtlHours: null,
+  options: { jinaReader: null },
   credentials: {
     storedCredentialId: null,
     acceptedCredentialTypes: ['api-key'],
diff --git a/frontend/src/components/features/admin/GlobalEnrichmentSourceManagement.tsx b/frontend/src/components/features/admin/GlobalEnrichmentSourceManagement.tsx
index 94c0ae25..32d3319f 100644
--- a/frontend/src/components/features/admin/GlobalEnrichmentSourceManagement.tsx
+++ b/frontend/src/components/features/admin/GlobalEnrichmentSourceManagement.tsx
@@ -125,7 +125,9 @@ export function GlobalEnrichmentSourceManagement({
           key: source.key,
           displayName: source.displayName,
           enabled: source.enabled,
+          targets: source.targets,
           refreshTtlHours: source.refreshTtlHours,
+          options: source.options,
           credentials: {
             storedCredentialId: source.credentials.storedCredentialId ?? null,
             secret: source.credentials.secret,
@@ -285,6 +287,18 @@ export function GlobalEnrichmentSourceManagement({
                           {source.key}
                         </span>
                       </div>
+                      {source.targets.length > 0 ? (
+                        <div className="mt-1 flex flex-wrap gap-1 pl-8">
+                          {source.targets.map((target) => (
+                            <span
+                              key={target}
+                              className="rounded-full border border-border/50 bg-background/60 px-2 py-0.5 text-[10px] text-muted-foreground"
+                            >
+                              {formatTargetLabel(target)}
+                            </span>
+                          ))}
+                        </div>
+                      ) : null}
                       {source.runtime.lastError ? (
                         <p
                           className="mt-0.5 max-w-[200px] truncate pl-8 text-[11px] text-destructive"
@@ -537,7 +551,7 @@ function EnrichmentSourceEditorSheetContent({
               <div className="space-y-0.5">
                 <p className="text-sm font-medium">Enable provider</p>
                 <p className="text-xs text-muted-foreground">
-                  When enabled, the worker will invoke this enrichment source during vulnerability processing.
+                  When enabled, selected PatchHound processes can invoke this enrichment source.
                 </p>
               </div>
               <input
@@ -551,6 +565,36 @@ function EnrichmentSourceEditorSheetContent({
                 }
               />
             </label>
+
+            <div className="grid gap-2 rounded-lg border border-border/60 px-4 py-3">
+              <p className="text-sm font-medium">Process targets</p>
+              <label className="flex items-center gap-2 text-sm text-muted-foreground">
+                <input
+                  type="checkbox"
+                  checked={source.targets.some((target) => target.toLowerCase() === 'scheduled')}
+                  onChange={(event) =>
+                    onUpdateSource(source.key, (current) => ({
+                      ...current,
+                      targets: updateTargetList(current.targets, 'Scheduled', event.target.checked),
+                    }))
+                  }
+                />
+                Scheduled enrichment worker
+              </label>
+              <label className="flex items-center gap-2 text-sm text-muted-foreground">
+                <input
+                  type="checkbox"
+                  checked={source.targets.some((target) => target.toLowerCase() === 'airesearch')}
+                  onChange={(event) =>
+                    onUpdateSource(source.key, (current) => ({
+                      ...current,
+                      targets: updateTargetList(current.targets, 'AIResearch', event.target.checked),
+                    }))
+                  }
+                />
+                AI research and assessments
+              </label>
+            </div>
           </FormSection>
 
           <FormSection title="Configuration">
@@ -610,6 +654,131 @@ function EnrichmentSourceEditorSheetContent({
             </div>
           </FormSection>
 
+          {source.key === 'jina-reader' && source.options.jinaReader ? (
+            <FormSection title="Jina Reader options">
+              <div className="grid gap-4 sm:grid-cols-2">
+                <div className="grid content-start gap-2">
+                  <span className="text-[11px] uppercase tracking-[0.14em] text-muted-foreground">Timeout Seconds</span>
+                  <Input
+                    type="number"
+                    min={3}
+                    max={60}
+                    value={source.options.jinaReader.timeoutSeconds}
+                    onChange={(event) =>
+                      onUpdateJinaReaderOption(source, onUpdateSource, 'timeoutSeconds', Number(event.target.value || 3))
+                    }
+                    className="h-10"
+                  />
+                </div>
+                <div className="grid content-start gap-2">
+                  <span className="text-[11px] uppercase tracking-[0.14em] text-muted-foreground">Max Content Chars</span>
+                  <Input
+                    type="number"
+                    min={1000}
+                    max={20000}
+                    step={500}
+                    value={source.options.jinaReader.maxContentChars}
+                    onChange={(event) =>
+                      onUpdateJinaReaderOption(source, onUpdateSource, 'maxContentChars', Number(event.target.value || 1000))
+                    }
+                    className="h-10"
+                  />
+                </div>
+                <div className="grid content-start gap-2">
+                  <span className="text-[11px] uppercase tracking-[0.14em] text-muted-foreground">Response Format</span>
+                  <Select
+                    value={source.options.jinaReader.responseFormat}
+                    onValueChange={(value) => onUpdateJinaReaderOption(source, onUpdateSource, 'responseFormat', value ?? 'markdown')}
+                  >
+                    <SelectTrigger className="h-10 w-full rounded-lg border-border/70 bg-background px-3">
+                      <SelectValue />
+                    </SelectTrigger>
+                    <SelectContent className="rounded-xl border-border/70 bg-popover/95 backdrop-blur">
+                      <SelectItem value="markdown">Markdown</SelectItem>
+                      <SelectItem value="text">Text</SelectItem>
+                      <SelectItem value="html">HTML</SelectItem>
+                    </SelectContent>
+                  </Select>
+                </div>
+                <div className="grid content-start gap-2">
+                  <span className="text-[11px] uppercase tracking-[0.14em] text-muted-foreground">Reader Engine</span>
+                  <label className="flex h-10 items-center gap-2 rounded-lg border border-border/70 bg-background px-3 text-sm text-muted-foreground">
+                    <input
+                      type="checkbox"
+                      checked={source.options.jinaReader.useReaderLmV2}
+                      onChange={(event) =>
+                        onUpdateJinaReaderOption(source, onUpdateSource, 'useReaderLmV2', event.target.checked)
+                      }
+                    />
+                    Use ReaderLM v2
+                  </label>
+                </div>
+                <div className="grid content-start gap-2">
+                  <span className="text-[11px] uppercase tracking-[0.14em] text-muted-foreground">Target Selector</span>
+                  <Input
+                    value={source.options.jinaReader.targetSelector}
+                    onChange={(event) =>
+                      onUpdateJinaReaderOption(source, onUpdateSource, 'targetSelector', event.target.value)
+                    }
+                    className="h-10"
+                  />
+                </div>
+                <div className="grid content-start gap-2">
+                  <span className="text-[11px] uppercase tracking-[0.14em] text-muted-foreground">Exclude Selector</span>
+                  <Input
+                    value={source.options.jinaReader.excludeSelector}
+                    onChange={(event) =>
+                      onUpdateJinaReaderOption(source, onUpdateSource, 'excludeSelector', event.target.value)
+                    }
+                    className="h-10"
+                  />
+                </div>
+                <div className="grid content-start gap-2">
+                  <span className="text-[11px] uppercase tracking-[0.14em] text-muted-foreground">Wait For Selector</span>
+                  <Input
+                    value={source.options.jinaReader.waitForSelector}
+                    onChange={(event) =>
+                      onUpdateJinaReaderOption(source, onUpdateSource, 'waitForSelector', event.target.value)
+                    }
+                    className="h-10"
+                  />
+                </div>
+                <div className="grid gap-2">
+                  <label className="flex items-center gap-2 text-sm text-muted-foreground">
+                    <input
+                      type="checkbox"
+                      checked={source.options.jinaReader.removeImages}
+                      onChange={(event) =>
+                        onUpdateJinaReaderOption(source, onUpdateSource, 'removeImages', event.target.checked)
+                      }
+                    />
+                    Remove images
+                  </label>
+                  <label className="flex items-center gap-2 text-sm text-muted-foreground">
+                    <input
+                      type="checkbox"
+                      checked={source.options.jinaReader.includeLinkSummary}
+                      onChange={(event) =>
+                        onUpdateJinaReaderOption(source, onUpdateSource, 'includeLinkSummary', event.target.checked)
+                      }
+                    />
+                    Include link summary
+                  </label>
+                  <label className="flex items-center gap-2 text-sm text-muted-foreground">
+                    <input
+                      type="checkbox"
+                      checked={source.options.jinaReader.includeImageSummary}
+                      onChange={(event) =>
+                        onUpdateJinaReaderOption(source, onUpdateSource, 'includeImageSummary', event.target.checked)
+                      }
+                    />
+                    Include image summary
+                  </label>
+                </div>
+              </div>
+            </FormSection>
+          ) : null}
+
           <FormSection title="Credentials">
             {source.credentials.acceptedCredentialTypes.length > 0 ? (
               <StoredCredentialSelector
@@ -617,7 +786,7 @@ function EnrichmentSourceEditorSheetContent({
                 storedCredentials={storedCredentials}
                 onUpdateSource={onUpdateSource}
               />
-            ) : source.credentialMode === 'global-secret' || source.key === 'nvd' ? (
+            ) : source.credentialMode === 'global-secret' || source.credentialMode === 'optional-global-secret' || source.key === 'nvd' ? (
               <div className="grid content-start gap-2">
                 <span className="text-[11px] uppercase tracking-[0.14em] text-muted-foreground">
                   API Key{source.key === 'nvd' ? ' (optional)' : ''}
@@ -859,7 +1028,7 @@ function StoredCredentialSelector({
           Enter a provider-specific secret below, or select a reusable global credential.
         </p>
       )}
-      {source.credentialMode === 'global-secret' || source.key === 'nvd' ? (
+      {source.credentialMode === 'global-secret' || source.credentialMode === 'optional-global-secret' || source.key === 'nvd' ? (
         <Input
           type="password"
           placeholder={
@@ -893,6 +1062,44 @@ function mapSourceToDraft(source: EnrichmentSource): EnrichmentSourceDraft {
   }
 }
 
+function updateTargetList(targets: string[], target: string, enabled: boolean) {
+  const normalized = targets.filter((item) => item.toLowerCase() !== target.toLowerCase())
+  return enabled ? [...normalized, target] : normalized
+}
+
+function formatTargetLabel(target: string) {
+  switch (target.toLowerCase()) {
+    case 'airesearch':
+      return 'AI research'
+    case 'scheduled':
+      return 'Scheduled'
+    default:
+      return target
+  }
+}
+
+function onUpdateJinaReaderOption<TKey extends keyof NonNullable<EnrichmentSource['options']['jinaReader']>>(
+  source: EnrichmentSourceDraft,
+  onUpdateSource: (key: string, mutate: (current: EnrichmentSourceDraft) => EnrichmentSourceDraft) => void,
+  key: TKey,
+  value: NonNullable<EnrichmentSource['options']['jinaReader']>[TKey],
+) {
+  onUpdateSource(source.key, (current) => {
+    if (!current.options.jinaReader) return current
+
+    return {
+      ...current,
+      options: {
+        ...current.options,
+        jinaReader: {
+          ...current.options.jinaReader,
+          [key]: value,
+        },
+      },
+    }
+  })
+}
+
 function formatTimestamp(value: string | null) {
   if (!value) return 'Never'
   const date = new Date(value)
@@ -936,6 +1143,11 @@ function getProviderStatusDescription(source: EnrichmentSource) {
     return 'Enriches software items with end-of-life date and support status from the endoflife.date database.'
   }
 
+  if (source.key === 'jina-reader') {
+    if (!source.enabled) return 'Jina Reader is configured but currently inactive.'
+    return 'Jina Reader can fetch public web pages as research context for AI assessments. API keys are optional.'
+  }
+
   return source.enabled
     ? 'This shared provider is available to enrich tenant vulnerability data during worker processing.'
     : 'This shared provider is configured but not currently used by the worker.'
diff --git a/frontend/src/components/features/settings/TenantAiSettingsPage.tsx b/frontend/src/components/features/settings/TenantAiSettingsPage.tsx
index 3725f290..08914762 100644
--- a/frontend/src/components/features/settings/TenantAiSettingsPage.tsx
+++ b/frontend/src/components/features/settings/TenantAiSettingsPage.tsx
@@ -1,5 +1,5 @@
-import { useMemo, useState } from 'react'
-import { useNavigate } from '@tanstack/react-router'
+import { useEffect, useMemo, useState } from 'react'
+import { Link, useNavigate } from '@tanstack/react-router'
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
 import { toast } from 'sonner'
 import {
@@ -22,6 +22,7 @@ import {
   validateTenantAiProfile,
 } from '@/api/ai-settings.functions'
 import type { SaveTenantAiProfile, TenantAiProfile } from '@/api/ai-settings.schemas'
+import { fetchEnrichmentSources, type EnrichmentSource } from '@/server/system.functions'
 import { useTenantScope } from '@/components/layout/tenant-scope'
 import { Badge } from '@/components/ui/badge'
 import { Button } from '@/components/ui/button'
@@ -126,6 +127,7 @@ function createEmptyProfile(): SaveTenantAiProfile {
     keepAlive: '',
     allowExternalResearch: false,
     webResearchMode: 'Disabled',
+    researchSourceKey: '',
     includeCitations: true,
     maxResearchSources: 5,
     allowedDomains: '',
@@ -154,6 +156,7 @@ function toDraft(profile: TenantAiProfile): SaveTenantAiProfile {
     keepAlive: profile.keepAlive,
     allowExternalResearch: profile.allowExternalResearch,
     webResearchMode: profile.webResearchMode as SaveTenantAiProfile['webResearchMode'],
+    researchSourceKey: profile.researchSourceKey,
     includeCitations: profile.includeCitations,
     maxResearchSources: profile.maxResearchSources,
     allowedDomains: profile.allowedDomains,
@@ -235,6 +238,11 @@ export function TenantAiSettingsPage({
     enabled: !!selectedTenantId,
   })
 
+  const enrichmentSourcesQuery = useQuery({
+    queryKey: ['enrichment-sources'],
+    queryFn: () => fetchEnrichmentSources(),
+  })
+
   const profiles = profilesQuery.data ?? EMPTY_PROFILES
   const editingProfileId = effectiveMode === 'edit' ? effectiveProfileId ?? null : null
   const isCreateMode = effectiveMode === 'new'
@@ -348,6 +356,7 @@ export function TenantAiSettingsPage({
             modelError={modelsMutation.isError ? getApiErrorMessage(modelsMutation.error, 'Failed to list available models.') : null}
             isListingModels={modelsMutation.isPending}
             onListModels={(id) => modelsMutation.mutate(id)}
+            enrichmentSources={enrichmentSourcesQuery.data ?? []}
             onDraftChange={setDraft}
             onSave={() => saveMutation.mutate(draft)}
             onBack={closeEditor}
@@ -531,6 +540,7 @@ function AiProfileEditorPage({
   modelError,
   isListingModels,
   onListModels,
+  enrichmentSources,
   onDraftChange,
   onSave,
   onBack,
@@ -547,11 +557,47 @@ function AiProfileEditorPage({
   modelError: string | null
   isListingModels: boolean
   onListModels: (id: string) => void
+  enrichmentSources: EnrichmentSource[]
   onDraftChange: React.Dispatch<React.SetStateAction<SaveTenantAiProfile>>
   onSave: () => void
   onBack: () => void
 }) {
   const saveLabel = profile ? 'Save changes' : 'Create profile'
+  const aiResearchSources = useMemo(
+    () =>
+      enrichmentSources.filter(
+        (source) =>
+          source.enabled &&
+          source.targets.some((target) => target.toLowerCase() === 'airesearch'),
+      ),
+    [enrichmentSources],
+  )
+  const selectedResearchSource = aiResearchSources.find((source) => source.key === draft.researchSourceKey) ?? null
+  const defaultResearchSourceKey = aiResearchSources[0]?.key ?? ''
+  const canUseProviderNativeResearch = draft.providerType === 'OpenAi'
+  const canUseManagedResearch = aiResearchSources.length > 0
+  const noResearchToolsAvailable = !canUseManagedResearch && !canUseProviderNativeResearch
+
+  useEffect(() => {
+    if (
+      draft.allowExternalResearch &&
+      draft.webResearchMode === 'PatchHoundManaged' &&
+      !draft.researchSourceKey &&
+      defaultResearchSourceKey
+    ) {
+      onDraftChange((current) =>
+        current.researchSourceKey
+          ? current
+          : { ...current, researchSourceKey: defaultResearchSourceKey },
+      )
+    }
+  }, [
+    defaultResearchSourceKey,
+    draft.allowExternalResearch,
+    draft.researchSourceKey,
+    draft.webResearchMode,
+    onDraftChange,
+  ])
 
   return (
     <div className="space-y-5">
@@ -613,8 +659,16 @@ function AiProfileEditorPage({
                               ? current.webResearchMode === 'Disabled'
                                 ? 'ProviderNative'
                                 : current.webResearchMode
-                              : 'PatchHoundManaged'
+                              : canUseManagedResearch
+                                ? 'PatchHoundManaged'
+                                : 'Disabled'
                             : 'Disabled',
+                          allowExternalResearch:
+                            current.allowExternalResearch && (provider.type === 'OpenAi' || canUseManagedResearch),
+                          researchSourceKey:
+                            provider.type === 'OpenAi' && current.webResearchMode === 'ProviderNative'
+                              ? ''
+                              : current.researchSourceKey || defaultResearchSourceKey,
                         }))
                       }}
                     >
@@ -872,31 +926,56 @@ function AiProfileEditorPage({
           <FormSection title="Web research" icon={CircleAlert}>
             <div className="space-y-4">
               <InsetPanel className="space-y-4 p-4">
-                <label className="flex items-start gap-3">
-                  <Checkbox
-                    checked={draft.allowExternalResearch}
-                    onCheckedChange={(checked) => {
-                      const allowExternalResearch = checked === true
-                      onDraftChange((current) => ({
-                        ...current,
-                        allowExternalResearch,
-                        webResearchMode: allowExternalResearch
-                          ? current.providerType === 'OpenAi'
-                            ? current.webResearchMode === 'Disabled'
-                              ? 'ProviderNative'
-                              : current.webResearchMode
-                            : 'PatchHoundManaged'
-                          : 'Disabled',
-                      }))
-                    }}
-                  />
-                  <div className="space-y-1">
-                    <span className="text-sm font-medium text-foreground">Allow external web research</span>
+                {noResearchToolsAvailable ? (
+                  <div className="space-y-2">
+                    <p className="text-sm font-medium text-foreground">No research tools available</p>
                     <p className="text-sm text-muted-foreground">
-                      Use recent external context when supported by the provider or by PatchHound-managed research. Vulnerability assessments always use local PatchHound intel first.
+                      Configure an enabled enrichment source that targets AI research before this profile can use external web research.
                     </p>
+                    <Link
+                      to="/admin/platform/enrichment"
+                      className="inline-flex text-sm font-medium text-primary underline-offset-4 hover:underline"
+                    >
+                      Configure research tools
+                    </Link>
                   </div>
-                </label>
+                ) : (
+                  <label className="flex items-start gap-3">
+                    <Checkbox
+                      checked={draft.allowExternalResearch}
+                      onCheckedChange={(checked) => {
+                        const allowExternalResearch = checked === true
+                        onDraftChange((current) => {
+                          const nextMode = allowExternalResearch
+                            ? current.providerType === 'OpenAi'
+                              ? current.webResearchMode === 'Disabled'
+                                ? 'ProviderNative'
+                                : current.webResearchMode
+                              : 'PatchHoundManaged'
+                            : 'Disabled'
+
+                          return {
+                            ...current,
+                            allowExternalResearch,
+                            webResearchMode: nextMode,
+                            researchSourceKey:
+                              allowExternalResearch && nextMode === 'PatchHoundManaged'
+                                ? current.researchSourceKey || defaultResearchSourceKey
+                                : nextMode === 'PatchHoundManaged'
+                                  ? current.researchSourceKey
+                                  : '',
+                          }
+                        })
+                      }}
+                    />
+                    <div className="space-y-1">
+                      <span className="text-sm font-medium text-foreground">Allow external web research</span>
+                      <p className="text-sm text-muted-foreground">
+                        Use recent external context when supported by the provider or by PatchHound-managed research. Vulnerability assessments always use local PatchHound intel first.
+                      </p>
+                    </div>
+                  </label>
+                )}
 
                 {draft.allowExternalResearch ? (
                   <div className="grid gap-4 md:grid-cols-2">
@@ -907,6 +986,10 @@ function AiProfileEditorPage({
                           onDraftChange((current) => ({
                             ...current,
                             webResearchMode: value as SaveTenantAiProfile['webResearchMode'],
+                            researchSourceKey:
+                              value === 'PatchHoundManaged'
+                                ? current.researchSourceKey || defaultResearchSourceKey
+                                : '',
                           }))
                         }
                       >
@@ -918,7 +1001,9 @@ function AiProfileEditorPage({
                             <SelectItem value="ProviderNative">Provider native</SelectItem>
                           ) : null}
                           <SelectItem value="LocalVulnerabilityIntel">Local vulnerability intel</SelectItem>
-                          <SelectItem value="PatchHoundManaged">PatchHound managed</SelectItem>
+                          {canUseManagedResearch ? (
+                            <SelectItem value="PatchHoundManaged">PatchHound managed</SelectItem>
+                          ) : null}
                         </SelectContent>
                       </Select>
                       {draft.webResearchMode === 'PatchHoundManaged' ? (
@@ -932,6 +1017,40 @@ function AiProfileEditorPage({
                       ) : null}
                     </Field>
 
+                    {draft.webResearchMode === 'PatchHoundManaged' ? (
+                      canUseManagedResearch ? (
+                        <Field label="Research tool" tooltip="Enabled enrichment sources that target AI research.">
+                          <Select
+                            value={selectedResearchSource?.key ?? defaultResearchSourceKey}
+                            onValueChange={(value) =>
+                              onDraftChange((current) => ({ ...current, researchSourceKey: value ?? '' }))
+                            }
+                          >
+                            <SelectTrigger className="h-10 w-full rounded-xl border-border/80 bg-card px-3">
+                              <SelectValue />
+                            </SelectTrigger>
+                            <SelectContent className="rounded-2xl border-border/70 bg-popover/95 backdrop-blur">
+                              {aiResearchSources.map((source) => (
+                                <SelectItem key={source.key} value={source.key}>
+                                  {source.displayName}
+                                </SelectItem>
+                              ))}
+                            </SelectContent>
+                          </Select>
+                        </Field>
+                      ) : (
+                        <InsetPanel className="space-y-2 px-4 py-3 md:col-span-2">
+                          <p className="text-sm font-medium text-foreground">No research tools available</p>
+                          <Link
+                            to="/admin/platform/enrichment"
+                            className="inline-flex text-sm font-medium text-primary underline-offset-4 hover:underline"
+                          >
+                            Configure research tools
+                          </Link>
+                        </InsetPanel>
+                      )
+                    ) : null}
+
                     <Field label="Max research sources" tooltip="Upper bound for external sources added to the research context.">
                       <Input
                         type="number"
diff --git a/frontend/src/server/system.functions.ts b/frontend/src/server/system.functions.ts
index c49f9e42..5f5340cb 100644
--- a/frontend/src/server/system.functions.ts
+++ b/frontend/src/server/system.functions.ts
@@ -40,8 +40,23 @@ const enrichmentSourceSchema = z.object({
   key: z.string(),
   displayName: z.string(),
   enabled: z.boolean(),
-  credentialMode: z.enum(['global-secret', 'tenant-source', 'no-credential']),
+  credentialMode: z.enum(['global-secret', 'tenant-source', 'no-credential', 'optional-global-secret']),
+  targets: z.array(z.string()).default([]),
   refreshTtlHours: z.number().int().nullable(),
+  options: z.object({
+    jinaReader: z.object({
+      timeoutSeconds: z.number().int(),
+      maxContentChars: z.number().int(),
+      responseFormat: z.string(),
+      useReaderLmV2: z.boolean(),
+      removeImages: z.boolean(),
+      includeLinkSummary: z.boolean(),
+      includeImageSummary: z.boolean(),
+      targetSelector: z.string(),
+      excludeSelector: z.string(),
+      waitForSelector: z.string(),
+    }).nullable(),
+  }).default({ jinaReader: null }),
   credentials: z.object({
     storedCredentialId: z.string().uuid().nullable().optional(),
     acceptedCredentialTypes: z.array(z.string()).optional().default([]),
@@ -155,7 +170,22 @@ export const updateEnrichmentSources = createServerFn({ method: 'POST' })
     key: z.string(),
     displayName: z.string().min(1),
     enabled: z.boolean(),
+    targets: z.array(z.string()).optional(),
     refreshTtlHours: z.number().int().nullable(),
+    options: z.object({
+      jinaReader: z.object({
+        timeoutSeconds: z.number().int(),
+        maxContentChars: z.number().int(),
+        responseFormat: z.string(),
+        useReaderLmV2: z.boolean(),
+        removeImages: z.boolean(),
+        includeLinkSummary: z.boolean(),
+        includeImageSummary: z.boolean(),
+        targetSelector: z.string(),
+        excludeSelector: z.string(),
+        waitForSelector: z.string(),
+      }).nullable(),
+    }).optional(),
     credentials: z.object({
       storedCredentialId: z.string().uuid().nullable().optional(),
       secret: z.string(),
diff --git a/src/PatchHound.Api/Controllers/SoftwareController.cs b/src/PatchHound.Api/Controllers/SoftwareController.cs
index 38dd4ede..961df0a0 100644
--- a/src/PatchHound.Api/Controllers/SoftwareController.cs
+++ b/src/PatchHound.Api/Controllers/SoftwareController.cs
@@ -1068,7 +1068,8 @@ CancellationToken ct
                         researchQuery,
                         ParseAllowedDomains(profile.AllowedDomains),
                         profile.MaxResearchSources,
-                        profile.IncludeCitations
+                        profile.IncludeCitations,
+                        ResearchSourceKey: profile.ResearchSourceKey
                     ),
                     ct
                 );
diff --git a/src/PatchHound.Api/Controllers/SystemController.cs b/src/PatchHound.Api/Controllers/SystemController.cs
index 9c306356..54e93fe6 100644
--- a/src/PatchHound.Api/Controllers/SystemController.cs
+++ b/src/PatchHound.Api/Controllers/SystemController.cs
@@ -459,10 +459,17 @@ CancellationToken ct
         foreach (var source in request)
         {
             existingSources.TryGetValue(source.Key, out var existingSource);
+            var defaultSource = EnrichmentSourceCatalog.CreateDefaults()
+                .FirstOrDefault(item => string.Equals(item.SourceKey, source.Key, StringComparison.OrdinalIgnoreCase));
             var secretRef = existingSource?.SecretRef ?? string.Empty;
             var secretValue = source.Credentials.Secret.Trim();
             var oldSecretRef = existingSource?.SecretRef;
             var storedCredentialId = source.Credentials.StoredCredentialId;
+            var targets = EnrichmentSourceCatalog.NormalizeTargets(
+                source.Targets
+                ?? EnrichmentSourceCatalog.ParseTargets(existingSource?.Targets ?? defaultSource?.Targets)
+            );
+            var optionsJson = SerializeOptions(source.Key, source.Options, existingSource?.OptionsJson ?? defaultSource?.OptionsJson);
 
             if (storedCredentialId.HasValue)
             {
@@ -507,7 +514,9 @@ CancellationToken ct
                     secretRef,
                     source.Credentials.ApiBaseUrl,
                     storedCredentialId,
-                    source.RefreshTtlHours
+                    source.RefreshTtlHours,
+                    targets,
+                    optionsJson
                 );
                 await _dbContext.EnrichmentSourceConfigurations.AddAsync(existingSource, ct);
                 existingSources[source.Key] = existingSource;
@@ -524,7 +533,9 @@ CancellationToken ct
                 secretRef,
                 source.Credentials.ApiBaseUrl,
                 storedCredentialId,
-                source.RefreshTtlHours
+                source.RefreshTtlHours,
+                targets,
+                optionsJson
             );
 
             if (
@@ -579,6 +590,7 @@ IReadOnlyList<EnrichmentRunDto> recentRuns
             source.SourceKey,
             source.DisplayName,
             source.Enabled,
+            EnrichmentSourceCatalog.ParseTargets(source.Targets),
             new EnrichmentSourceCredentialsDto(
                 source.StoredCredentialId,
                 EnrichmentSourceCatalog.GetAcceptedCredentialTypes(source.SourceKey),
@@ -591,10 +603,13 @@ IReadOnlyList<EnrichmentRunDto> recentRuns
                 StringComparison.OrdinalIgnoreCase
             )
                 ? "tenant-source"
-                : !EnrichmentSourceCatalog.RequiresCredentials(source.SourceKey)
+                : EnrichmentSourceCatalog.SupportsOptionalCredentials(source.SourceKey)
+                    ? "optional-global-secret"
+                    : !EnrichmentSourceCatalog.RequiresCredentials(source.SourceKey)
                     ? "no-credential"
                     : "global-secret",
             source.RefreshTtlHours,
+            MapOptions(source),
             new EnrichmentSourceRuntimeDto(
                 source.LastStartedAt,
                 source.LastCompletedAt,
@@ -607,6 +622,59 @@ IReadOnlyList<EnrichmentRunDto> recentRuns
         );
     }
 
+    private static EnrichmentSourceOptionsDto MapOptions(EnrichmentSourceConfiguration source)
+    {
+        if (!string.Equals(source.SourceKey, EnrichmentSourceCatalog.JinaReaderSourceKey, StringComparison.OrdinalIgnoreCase))
+        {
+            return new EnrichmentSourceOptionsDto();
+        }
+
+        var options = JinaReaderOptions.FromJson(source.OptionsJson).Normalize();
+        return new EnrichmentSourceOptionsDto(
+            new JinaReaderOptionsDto(
+                options.TimeoutSeconds,
+                options.MaxContentChars,
+                options.ResponseFormat,
+                options.UseReaderLmV2,
+                options.RemoveImages,
+                options.IncludeLinkSummary,
+                options.IncludeImageSummary,
+                options.TargetSelector,
+                options.ExcludeSelector,
+                options.WaitForSelector
+            )
+        );
+    }
+
+    private static string SerializeOptions(
+        string sourceKey,
+        EnrichmentSourceOptionsDto? options,
+        string? existingOptionsJson
+    )
+    {
+        if (!string.Equals(sourceKey, EnrichmentSourceCatalog.JinaReaderSourceKey, StringComparison.OrdinalIgnoreCase))
+        {
+            return existingOptionsJson ?? string.Empty;
+        }
+
+        var jina = options?.JinaReader is null
+            ? JinaReaderOptions.FromJson(existingOptionsJson)
+            : new JinaReaderOptions(
+                options.JinaReader.TimeoutSeconds,
+                options.JinaReader.MaxContentChars,
+                options.JinaReader.ResponseFormat,
+                options.JinaReader.UseReaderLmV2,
+                options.JinaReader.RemoveImages,
+                options.JinaReader.IncludeLinkSummary,
+                options.JinaReader.IncludeImageSummary,
+                options.JinaReader.TargetSelector,
+                options.JinaReader.ExcludeSelector,
+                options.JinaReader.WaitForSelector
+            );
+
+        return jina.Normalize().ToJson();
+    }
+
     private static EnrichmentRunDto MapRunDto(EnrichmentRun run)
     {
         return new EnrichmentRunDto(
diff --git a/src/PatchHound.Api/Controllers/TenantAiProfilesController.cs b/src/PatchHound.Api/Controllers/TenantAiProfilesController.cs
index 6e99cf97..2261a294 100644
--- a/src/PatchHound.Api/Controllers/TenantAiProfilesController.cs
+++ b/src/PatchHound.Api/Controllers/TenantAiProfilesController.cs
@@ -78,6 +78,12 @@ CancellationToken ct
             return BadRequest(validationProblem);
         }
 
+        var researchSourceProblem = await ValidateResearchSourceAsync(request, ct);
+        if (researchSourceProblem is not null)
+        {
+            return BadRequest(researchSourceProblem);
+        }
+
         var profile = TenantAiProfile.Create(
             tenantId,
             request.Name,
@@ -100,7 +106,8 @@ CancellationToken ct
             maxResearchSources: request.MaxResearchSources,
             allowedDomains: request.AllowedDomains,
             numCtx: request.NumCtx,
-            responseFormat: ResolveResponseFormat(request.ResponseFormat)
+            responseFormat: ResolveResponseFormat(request.ResponseFormat),
+            researchSourceKey: ResolveResearchSourceKey(request)
         );
 
         var secretRef = BuildSecretRef(tenantId, profile.Id);
@@ -132,7 +139,8 @@ await _secretStore.PutSecretAsync(
                 request.MaxResearchSources,
                 request.AllowedDomains,
                 request.NumCtx,
-                ResolveResponseFormat(request.ResponseFormat)
+                ResolveResponseFormat(request.ResponseFormat),
+                ResolveResearchSourceKey(request)
             );
         }
 
@@ -164,7 +172,8 @@ await _secretStore.PutSecretAsync(
                 request.MaxResearchSources,
                 request.AllowedDomains,
                 request.NumCtx,
-                ResolveResponseFormat(request.ResponseFormat)
+                ResolveResponseFormat(request.ResponseFormat),
+                ResolveResearchSourceKey(request)
             );
         }
 
@@ -212,6 +221,12 @@ CancellationToken ct
             return BadRequest(validationProblem);
         }
 
+        var researchSourceProblem = await ValidateResearchSourceAsync(request, ct);
+        if (researchSourceProblem is not null)
+        {
+            return BadRequest(researchSourceProblem);
+        }
+
         var secretRef = profile.SecretRef;
         if (!string.IsNullOrWhiteSpace(request.ApiKey))
         {
@@ -249,7 +264,8 @@ await _secretStore.PutSecretAsync(
             request.MaxResearchSources,
             request.AllowedDomains,
             request.NumCtx,
-            ResolveResponseFormat(request.ResponseFormat)
+            ResolveResponseFormat(request.ResponseFormat),
+            ResolveResearchSourceKey(request)
         );
         profile.ResetValidation();
 
@@ -302,7 +318,8 @@ public async Task<ActionResult<TenantAiProfileDto>> SetDefault(Guid id, Cancella
             profile.MaxResearchSources,
             profile.AllowedDomains,
             profile.NumCtx,
-            profile.ResponseFormat
+            profile.ResponseFormat,
+            profile.ResearchSourceKey
         );
 
         await _dbContext.SaveChangesAsync(ct);
@@ -414,11 +431,48 @@ private async Task ClearDefaultAsync(Guid tenantId, CancellationToken ct, Guid?
                 profile.MaxResearchSources,
                 profile.AllowedDomains,
                 profile.NumCtx,
-                profile.ResponseFormat
+                profile.ResponseFormat,
+                profile.ResearchSourceKey
             );
         }
     }
 
+    private async Task<ProblemDetails?> ValidateResearchSourceAsync(
+        SaveTenantAiProfileRequest request,
+        CancellationToken ct
+    )
+    {
+        var mode = ResolveWebResearchMode(request);
+        if (!request.AllowExternalResearch || mode != TenantAiWebResearchMode.PatchHoundManaged)
+        {
+            return null;
+        }
+
+        if (string.IsNullOrWhiteSpace(request.ResearchSourceKey))
+        {
+            return new ProblemDetails { Title = "PatchHound-managed web research requires a research source." };
+        }
+
+        var source = await _dbContext.EnrichmentSourceConfigurations.AsNoTracking()
+            .FirstOrDefaultAsync(
+                item => item.SourceKey == request.ResearchSourceKey.Trim(),
+                ct
+            );
+
+        if (source is null)
+        {
+            source = EnrichmentSourceCatalog.CreateDefaults()
+                .FirstOrDefault(item => string.Equals(item.SourceKey, request.ResearchSourceKey.Trim(), StringComparison.OrdinalIgnoreCase));
+        }
+
+        if (source is null || !source.Enabled || !EnrichmentSourceCatalog.HasTarget(source, EnrichmentSourceCatalog.AiResearchTarget))
+        {
+            return new ProblemDetails { Title = "Selected research source is not available for AI research." };
+        }
+
+        return null;
+    }
+
     private static string BuildSecretRef(Guid tenantId, Guid profileId) =>
         $"tenants/{tenantId}/ai/{profileId}";
 
@@ -563,6 +617,7 @@ private static TenantAiProfileDto MapDto(TenantAiProfile profile) =>
             profile.IncludeCitations,
             profile.MaxResearchSources,
             profile.AllowedDomains,
+            profile.ResearchSourceKey,
             !string.IsNullOrWhiteSpace(profile.SecretRef),
             profile.LastValidatedAt,
             profile.LastValidationStatus.ToString(),
@@ -616,6 +671,14 @@ SaveTenantAiProfileRequest request
             : TenantAiWebResearchMode.PatchHoundManaged;
     }
 
+    private static string ResolveResearchSourceKey(SaveTenantAiProfileRequest request)
+    {
+        var mode = ResolveWebResearchMode(request);
+        return request.AllowExternalResearch && mode == TenantAiWebResearchMode.PatchHoundManaged
+            ? request.ResearchSourceKey.Trim()
+            : string.Empty;
+    }
+
     private static TenantAiProfileValidationResultDto MapValidationDto(TenantAiProfile profile) =>
         new(
             profile.Id,
diff --git a/src/PatchHound.Api/Models/Settings/TenantAiProfileDto.cs b/src/PatchHound.Api/Models/Settings/TenantAiProfileDto.cs
index c4947444..945994eb 100644
--- a/src/PatchHound.Api/Models/Settings/TenantAiProfileDto.cs
+++ b/src/PatchHound.Api/Models/Settings/TenantAiProfileDto.cs
@@ -21,6 +21,7 @@ public record TenantAiProfileDto(
     bool IncludeCitations,
     int MaxResearchSources,
     string AllowedDomains,
+    string ResearchSourceKey,
     bool HasSecret,
     DateTimeOffset? LastValidatedAt,
     string LastValidationStatus,
@@ -51,7 +52,8 @@ public record SaveTenantAiProfileRequest(
     string AllowedDomains,
     string ApiKey,
     int? NumCtx,
-    string? ResponseFormat
+    string? ResponseFormat,
+    string ResearchSourceKey = ""
 );
 
 public record TenantAiProfileValidationResultDto(
diff --git a/src/PatchHound.Api/Models/System/EnrichmentSourceDtos.cs b/src/PatchHound.Api/Models/System/EnrichmentSourceDtos.cs
index 6569ed62..48e371b4 100644
--- a/src/PatchHound.Api/Models/System/EnrichmentSourceDtos.cs
+++ b/src/PatchHound.Api/Models/System/EnrichmentSourceDtos.cs
@@ -4,9 +4,11 @@ public record EnrichmentSourceDto(
     string Key,
     string DisplayName,
     bool Enabled,
+    IReadOnlyList<string> Targets,
     EnrichmentSourceCredentialsDto Credentials,
     string CredentialMode,
     int? RefreshTtlHours,
+    EnrichmentSourceOptionsDto Options,
     EnrichmentSourceRuntimeDto Runtime,
     EnrichmentSourceQueueDto Queue,
     IReadOnlyList<EnrichmentRunDto> RecentRuns
@@ -53,7 +55,9 @@ public record UpdateEnrichmentSourceRequest(
     string DisplayName,
     bool Enabled,
     int? RefreshTtlHours,
-    UpdateEnrichmentSourceCredentialsRequest Credentials
+    UpdateEnrichmentSourceCredentialsRequest Credentials,
+    IReadOnlyList<string>? Targets = null,
+    EnrichmentSourceOptionsDto? Options = null
 );
 
 public record UpdateEnrichmentSourceCredentialsRequest(
@@ -62,4 +66,21 @@ public record UpdateEnrichmentSourceCredentialsRequest(
     string ApiBaseUrl
 );
 
+public record EnrichmentSourceOptionsDto(
+    JinaReaderOptionsDto? JinaReader = null
+);
+
+public record JinaReaderOptionsDto(
+    int TimeoutSeconds,
+    int MaxContentChars,
+    string ResponseFormat,
+    bool UseReaderLmV2,
+    bool RemoveImages,
+    bool IncludeLinkSummary,
+    bool IncludeImageSummary,
+    string TargetSelector,
+    string ExcludeSelector,
+    string WaitForSelector
+);
+
 public record TriggerNvdFullSyncRequest(int FromYear, int ToYear);
diff --git a/src/PatchHound.Core/Entities/EnrichmentSourceConfiguration.cs b/src/PatchHound.Core/Entities/EnrichmentSourceConfiguration.cs
index d2b35c32..2b8ea3a6 100644
--- a/src/PatchHound.Core/Entities/EnrichmentSourceConfiguration.cs
+++ b/src/PatchHound.Core/Entities/EnrichmentSourceConfiguration.cs
@@ -8,6 +8,8 @@ public class EnrichmentSourceConfiguration
     public bool Enabled { get; private set; }
     public string SecretRef { get; private set; } = string.Empty;
     public string ApiBaseUrl { get; private set; } = string.Empty;
+    public string Targets { get; private set; } = string.Empty;
+    public string OptionsJson { get; private set; } = string.Empty;
     public Guid? StoredCredentialId { get; private set; }
     public int? RefreshTtlHours { get; private set; }
     public Guid? ActiveEnrichmentRunId { get; private set; }
@@ -28,7 +30,9 @@ public static EnrichmentSourceConfiguration Create(
         string secretRef = "",
         string apiBaseUrl = "",
         Guid? storedCredentialId = null,
-        int? refreshTtlHours = null
+        int? refreshTtlHours = null,
+        string targets = "Scheduled",
+        string optionsJson = ""
     )
     {
         return new EnrichmentSourceConfiguration
@@ -39,6 +43,8 @@ public static EnrichmentSourceConfiguration Create(
             Enabled = enabled,
             SecretRef = secretRef,
             ApiBaseUrl = apiBaseUrl,
+            Targets = string.IsNullOrWhiteSpace(targets) ? "Scheduled" : targets.Trim(),
+            OptionsJson = optionsJson?.Trim() ?? string.Empty,
             StoredCredentialId = storedCredentialId,
             RefreshTtlHours = refreshTtlHours,
         };
@@ -50,13 +56,17 @@ public void UpdateConfiguration(
         string secretRef,
         string apiBaseUrl,
         Guid? storedCredentialId,
-        int? refreshTtlHours
+        int? refreshTtlHours,
+        string targets = "Scheduled",
+        string optionsJson = ""
     )
     {
         DisplayName = displayName;
         Enabled = enabled;
         SecretRef = secretRef;
         ApiBaseUrl = apiBaseUrl;
+        Targets = string.IsNullOrWhiteSpace(targets) ? "Scheduled" : targets.Trim();
+        OptionsJson = optionsJson?.Trim() ?? string.Empty;
         StoredCredentialId = storedCredentialId;
         RefreshTtlHours = refreshTtlHours;
     }
diff --git a/src/PatchHound.Core/Entities/TenantAiProfile.cs b/src/PatchHound.Core/Entities/TenantAiProfile.cs
index 2576e657..25f9a43d 100644
--- a/src/PatchHound.Core/Entities/TenantAiProfile.cs
+++ b/src/PatchHound.Core/Entities/TenantAiProfile.cs
@@ -28,6 +28,7 @@ public class TenantAiProfile
     public bool IncludeCitations { get; private set; }
     public int MaxResearchSources { get; private set; }
     public string AllowedDomains { get; private set; } = string.Empty;
+    public string ResearchSourceKey { get; private set; } = string.Empty;
     public DateTimeOffset? LastValidatedAt { get; private set; }
     public TenantAiProfileValidationStatus LastValidationStatus { get; private set; }
     public string LastValidationError { get; private set; } = string.Empty;
@@ -59,7 +60,8 @@ public static TenantAiProfile Create(
         int maxResearchSources = 5,
         string allowedDomains = "",
         int? numCtx = null,
-        TenantAiResponseFormat responseFormat = TenantAiResponseFormat.None
+        TenantAiResponseFormat responseFormat = TenantAiResponseFormat.None,
+        string researchSourceKey = ""
     )
     {
         var now = DateTimeOffset.UtcNow;
@@ -89,6 +91,7 @@ public static TenantAiProfile Create(
             IncludeCitations = includeCitations,
             MaxResearchSources = maxResearchSources,
             AllowedDomains = allowedDomains.Trim(),
+            ResearchSourceKey = researchSourceKey.Trim(),
             LastValidationStatus = TenantAiProfileValidationStatus.Unknown,
             CreatedAt = now,
             UpdatedAt = now,
@@ -116,7 +119,8 @@ public void Update(
         int maxResearchSources,
         string allowedDomains,
         int? numCtx,
-        TenantAiResponseFormat responseFormat
+        TenantAiResponseFormat responseFormat,
+        string researchSourceKey = ""
     )
     {
         Name = name.Trim();
@@ -140,6 +144,7 @@ TenantAiResponseFormat responseFormat
         IncludeCitations = includeCitations;
         MaxResearchSources = maxResearchSources;
         AllowedDomains = allowedDomains.Trim();
+        ResearchSourceKey = researchSourceKey.Trim();
         UpdatedAt = DateTimeOffset.UtcNow;
     }
 
diff --git a/src/PatchHound.Core/Models/AiWebResearchRequest.cs b/src/PatchHound.Core/Models/AiWebResearchRequest.cs
index c09966ee..abe7f031 100644
--- a/src/PatchHound.Core/Models/AiWebResearchRequest.cs
+++ b/src/PatchHound.Core/Models/AiWebResearchRequest.cs
@@ -8,5 +8,6 @@ public record AiWebResearchRequest(
     int MaxSources,
     bool IncludeCitations,
     IReadOnlyList<Guid>? VulnerabilityIds = null,
-    IReadOnlyList<AiResearchProviderKind>? Providers = null
+    IReadOnlyList<AiResearchProviderKind>? Providers = null,
+    string ResearchSourceKey = ""
 );
diff --git a/src/PatchHound.Core/Services/RiskChangeBriefAiSummaryService.cs b/src/PatchHound.Core/Services/RiskChangeBriefAiSummaryService.cs
index 19048cc5..9d881a67 100644
--- a/src/PatchHound.Core/Services/RiskChangeBriefAiSummaryService.cs
+++ b/src/PatchHound.Core/Services/RiskChangeBriefAiSummaryService.cs
@@ -93,7 +93,8 @@ CancellationToken ct
                     BuildResearchQuery(brief),
                     ParseAllowedDomains(profile.AllowedDomains),
                     profile.MaxResearchSources,
-                    profile.IncludeCitations
+                    profile.IncludeCitations,
+                    ResearchSourceKey: profile.ResearchSourceKey
                 ),
                 ct
             );
diff --git a/src/PatchHound.Infrastructure/Data/Configurations/EnrichmentSourceConfiguration.cs b/src/PatchHound.Infrastructure/Data/Configurations/EnrichmentSourceConfiguration.cs
index cf743782..5211c07a 100644
--- a/src/PatchHound.Infrastructure/Data/Configurations/EnrichmentSourceConfiguration.cs
+++ b/src/PatchHound.Infrastructure/Data/Configurations/EnrichmentSourceConfiguration.cs
@@ -17,6 +17,8 @@ public void Configure(EntityTypeBuilder<EnrichmentSourceConfiguration> builder)
         builder.Property(source => source.DisplayName).HasMaxLength(256).IsRequired();
         builder.Property(source => source.SecretRef).HasMaxLength(512).IsRequired();
         builder.Property(source => source.ApiBaseUrl).HasMaxLength(512).IsRequired();
+        builder.Property(source => source.Targets).HasMaxLength(256).IsRequired();
+        builder.Property(source => source.OptionsJson).HasColumnType("text").IsRequired();
         builder.Property(source => source.StoredCredentialId);
         builder.HasIndex(source => source.ActiveEnrichmentRunId);
         builder.HasIndex(source => source.StoredCredentialId);
diff --git a/src/PatchHound.Infrastructure/Data/Configurations/TenantAiProfileConfiguration.cs b/src/PatchHound.Infrastructure/Data/Configurations/TenantAiProfileConfiguration.cs
index f3e2e134..620c4ed8 100644
--- a/src/PatchHound.Infrastructure/Data/Configurations/TenantAiProfileConfiguration.cs
+++ b/src/PatchHound.Infrastructure/Data/Configurations/TenantAiProfileConfiguration.cs
@@ -27,6 +27,7 @@ public void Configure(EntityTypeBuilder<TenantAiProfile> builder)
             .HasConversion<string>()
             .HasMaxLength(32);
         builder.Property(item => item.AllowedDomains).HasColumnType("text").IsRequired();
+        builder.Property(item => item.ResearchSourceKey).HasMaxLength(128).IsRequired();
         builder
             .Property(item => item.LastValidationStatus)
             .HasConversion<string>()
diff --git a/src/PatchHound.Infrastructure/DependencyInjection.cs b/src/PatchHound.Infrastructure/DependencyInjection.cs
index e6fc99b0..66938217 100644
--- a/src/PatchHound.Infrastructure/DependencyInjection.cs
+++ b/src/PatchHound.Infrastructure/DependencyInjection.cs
@@ -134,6 +134,11 @@ void ConfigureDbContext(IServiceProvider sp, DbContextOptionsBuilder options) =>
         services
             .AddHttpClient<ExternalWebSearchResearchProvider>()
             .AddExternalHttpPolicies(maxConnectionsPerServer: 2);
+        services.AddScoped<IAiResearchSourceProvider>(sp => sp.GetRequiredService<ExternalWebSearchResearchProvider>());
+        services
+            .AddHttpClient<JinaReaderAiResearchProvider>()
+            .AddExternalHttpPolicies(maxConnectionsPerServer: 2);
+        services.AddScoped<IAiResearchSourceProvider>(sp => sp.GetRequiredService<JinaReaderAiResearchProvider>());
         services.AddScoped<ISetupService, SetupService>();
         services.AddScoped<EnvironmentalSeverityCalculator>();
         services.AddScoped<ExposureDerivationService>();
diff --git a/src/PatchHound.Infrastructure/Migrations/20260522105236_AddAiResearchSourceTargets.Designer.cs b/src/PatchHound.Infrastructure/Migrations/20260522105236_AddAiResearchSourceTargets.Designer.cs
new file mode 100644
index 00000000..fed9f904
--- /dev/null
+++ b/src/PatchHound.Infrastructure/Migrations/20260522105236_AddAiResearchSourceTargets.Designer.cs
@@ -0,0 +1,5804 @@
+// <auto-generated />
+using System;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+using PatchHound.Infrastructure.Data;
+
+#nullable disable
+
+namespace PatchHound.Infrastructure.Migrations
+{
+    [DbContext(typeof(PatchHoundDbContext))]
+    [Migration("20260522105236_AddAiResearchSourceTargets")]
+    partial class AddAiResearchSourceTargets
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "10.0.7")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AIReport", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Content")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("GeneratedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("GeneratedBy")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("MaxOutputTokens")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Model")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ProfileName")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ProviderType")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("RemediationCaseId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("SystemPromptHash")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<decimal>("Temperature")
+                        .HasPrecision(4, 2)
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<Guid>("TenantAiProfileId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RemediationCaseId");
+
+                    b.HasIndex("TenantAiProfileId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("VulnerabilityId");
+
+                    b.HasIndex("TenantId", "RemediationCaseId", "GeneratedAt");
+
+                    b.ToTable("AIReports");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AdvancedTool", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AiPrompt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Description")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("KqlQuery")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("SupportedAssetTypesJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Name")
+                        .IsUnique();
+
+                    b.ToTable("AdvancedTools");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AnalystRecommendation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AnalystId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PriorityOverride")
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<string>("Rationale")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("RecommendedOutcome")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("RemediationCaseId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("RemediationWorkflowId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RemediationCaseId");
+
+                    b.HasIndex("RemediationWorkflowId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "RemediationCaseId");
+
+                    b.ToTable("AnalystRecommendations");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ApprovalTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("ExpiresAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("ReadAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("RemediationCaseId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RemediationDecisionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("RemediationWorkflowId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("RequiresJustification")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("ResolutionJustification")
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("ResolvedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ResolvedBy")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ExpiresAt");
+
+                    b.HasIndex("RemediationCaseId");
+
+                    b.HasIndex("RemediationDecisionId");
+
+                    b.HasIndex("RemediationWorkflowId");
+
+                    b.HasIndex("Status");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "RemediationDecisionId");
+
+                    b.HasIndex("TenantId", "RemediationCaseId", "Status");
+
+                    b.ToTable("ApprovalTasks");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ApprovalTaskVisibleRole", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ApprovalTaskId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Role")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ApprovalTaskId", "Role")
+                        .IsUnique();
+
+                    b.HasIndex("Role", "ApprovalTaskId");
+
+                    b.ToTable("ApprovalTaskVisibleRoles");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ApprovedVulnerabilityRemediation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("ApprovedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Outcome")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("RemediationCaseId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RemediationDecisionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RemediationCaseId");
+
+                    b.HasIndex("RemediationDecisionId");
+
+                    b.HasIndex("VulnerabilityId");
+
+                    b.HasIndex("TenantId", "Outcome");
+
+                    b.HasIndex("TenantId", "RemediationCaseId");
+
+                    b.HasIndex("TenantId", "VulnerabilityId", "RemediationCaseId")
+                        .IsUnique();
+
+                    b.ToTable("ApprovedVulnerabilityRemediations");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuditLogEntry", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Action")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("EntityId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("EntityType")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("NewValues")
+                        .HasColumnType("text");
+
+                    b.Property<string>("OldValues")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("Timestamp")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("Timestamp");
+
+                    b.HasIndex("EntityType", "EntityId");
+
+                    b.ToTable("AuditLogEntries");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.AuthenticatedScanRun", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("EntriesIngested")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("FailedCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid>("ScanProfileId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("StartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<int>("SucceededCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("TotalDevices")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("TriggerKind")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid?>("TriggeredByUserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId", "ScanProfileId", "StartedAt");
+
+                    b.ToTable("AuthenticatedScanRuns");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.ConnectionProfile", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AuthMethod")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Description")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("HostKeyFingerprint")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("Kind")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("SecretRef")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("SshHost")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<int>("SshPort")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("SshUsername")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId", "Name")
+                        .IsUnique();
+
+                    b.ToTable("ConnectionProfiles");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.DeviceScanProfileAssignment", b =>
+                {
+                    b.Property<Guid>("DeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ScanProfileId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("AssignedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("AssignedByRuleId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("DeviceId", "ScanProfileId");
+
+                    b.HasIndex("TenantId", "ScanProfileId");
+
+                    b.ToTable("DeviceScanProfileAssignments");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.ScanJob", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AttemptCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("ConnectionProfileId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("DeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("EntriesIngested")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("ErrorMessage")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("LeaseExpiresAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("RunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ScanRunnerId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ScanningToolVersionIdsJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("StartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<int>("StderrBytes")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("StdoutBytes")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RunId");
+
+                    b.HasIndex("ScanRunnerId", "Status");
+
+                    b.ToTable("ScanJobs");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.ScanJobResult", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CapturedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ParsedJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("RawStderr")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("RawStdout")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ScanJobId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ScanJobId")
+                        .IsUnique();
+
+                    b.ToTable("ScanJobResults");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.ScanJobValidationIssue", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("EntryIndex")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("FieldPath")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("Message")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("ScanJobId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ScanJobId");
+
+                    b.ToTable("ScanJobValidationIssues");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.ScanProfile", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ConnectionProfileId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CronSchedule")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("Description")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTimeOffset?>("LastRunStartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("ManualRequestedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("ScanRunnerId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId", "Name")
+                        .IsUnique();
+
+                    b.ToTable("ScanProfiles");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.ScanProfileTool", b =>
+                {
+                    b.Property<Guid>("ScanProfileId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ScanningToolId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("ExecutionOrder")
+                        .HasColumnType("integer");
+
+                    b.HasKey("ScanProfileId", "ScanningToolId");
+
+                    b.ToTable("ScanProfileTools");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.ScanRunner", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Description")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTimeOffset?>("LastSeenAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("SecretHash")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Version")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId", "Name")
+                        .IsUnique();
+
+                    b.ToTable("ScanRunners");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.ScanningTool", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("CurrentVersionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Description")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("InterpreterPath")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("OutputModel")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<string>("ScriptType")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("TimeoutSeconds")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId", "Name")
+                        .IsUnique();
+
+                    b.ToTable("ScanningTools");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.ScanningToolVersion", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("EditedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("EditedByUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ScanningToolId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ScriptContent")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<int>("VersionNumber")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ScanningToolId", "VersionNumber")
+                        .IsUnique();
+
+                    b.ToTable("ScanningToolVersions");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AuthenticatedScans.StagedDetectedSoftware", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("CanonicalName")
+                        .IsRequired()
+                        .HasMaxLength(1024)
+                        .HasColumnType("character varying(1024)");
+
+                    b.Property<string>("CanonicalProductKey")
+                        .IsRequired()
+                        .HasMaxLength(1024)
+                        .HasColumnType("character varying(1024)");
+
+                    b.Property<string>("CanonicalVendor")
+                        .HasMaxLength(1024)
+                        .HasColumnType("character varying(1024)");
+
+                    b.Property<string>("Category")
+                        .HasMaxLength(1024)
+                        .HasColumnType("character varying(1024)");
+
+                    b.Property<string>("DetectedVersion")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("DeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PrimaryCpe23Uri")
+                        .HasMaxLength(1024)
+                        .HasColumnType("character varying(1024)");
+
+                    b.Property<Guid>("ScanJobId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("ScanProfileId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("StagedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ScanJobId");
+
+                    b.ToTable("StagedDetectedSoftware");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.BusinessLabel", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Color")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<bool>("IsActive")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("WeightCategory")
+                        .IsRequired()
+                        .ValueGeneratedOnAdd()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)")
+                        .HasDefaultValue("Normal");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "Name")
+                        .IsUnique();
+
+                    b.ToTable("BusinessLabels");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.CloudApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ActiveInTenant")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("AppId")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExternalId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("IsFallbackPublicClient")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<Guid?>("OwnerTeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OwnerTeamRuleId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("RedirectUris")
+                        .IsRequired()
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("jsonb")
+                        .HasDefaultValueSql("'[]'::jsonb");
+
+                    b.Property<Guid>("SourceSystemId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "SourceSystemId", "ExternalId")
+                        .IsUnique();
+
+                    b.ToTable("CloudApplications", (string)null);
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.CloudApplicationCredentialMetadata", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("CloudApplicationId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("DisplayName")
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<DateTimeOffset>("ExpiresAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("CloudApplicationId");
+
+                    b.HasIndex("ExpiresAt");
+
+                    b.HasIndex("TenantId");
+
+                    b.ToTable("CloudApplicationCredentialMetadata", (string)null);
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.Comment", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("AuthorId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Content")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("DeletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("EntityId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("EntityType")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("EntityType", "EntityId");
+
+                    b.ToTable("Comments");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.Device", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AadDeviceId")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<bool>("ActiveInTenant")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.Property<string>("BaselineCriticality")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ComputerDnsName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Criticality")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("CriticalityReason")
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<Guid?>("CriticalityRuleId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("CriticalitySource")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset?>("CriticalityUpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(2048)
+                        .HasColumnType("character varying(2048)");
+
+                    b.Property<string>("DeviceValue")
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<decimal?>("ExposureImpactScore")
+                        .HasColumnType("numeric");
+
+                    b.Property<string>("ExposureLevel")
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<string>("ExternalId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ExternalRiskLabel")
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<Guid?>("FallbackTeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("FallbackTeamRuleId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("GroupId")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("GroupName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("HealthStatus")
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<bool?>("IsAadJoined")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("LastIpAddress")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTimeOffset?>("LastSeenAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Metadata")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("OnboardingStatus")
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<string>("OsPlatform")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("OsVersion")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<Guid?>("OwnerTeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OwnerTeamRuleId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("OwnerType")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid?>("OwnerUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecurityProfileId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("SecurityProfileRuleId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SourceSystemId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SecurityProfileId");
+
+                    b.HasIndex("SourceSystemId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "ActiveInTenant");
+
+                    b.HasIndex("TenantId", "CreatedAt");
+
+                    b.HasIndex("TenantId", "LastSeenAt");
+
+                    b.HasIndex("TenantId", "SourceSystemId", "ExternalId")
+                        .IsUnique();
+
+                    b.ToTable("Devices");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.DeviceBusinessLabel", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("AssignedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("AssignedBy")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("AssignedByRuleId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("BusinessLabelId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("DeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<string>("SourceType")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("AssignedByRuleId");
+
+                    b.HasIndex("BusinessLabelId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("DeviceId", "BusinessLabelId", "SourceKey")
+                        .IsUnique();
+
+                    b.ToTable("DeviceBusinessLabels");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.DeviceGroupRiskScore", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssetCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTimeOffset>("CalculatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CalculationVersion")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<int>("CriticalEpisodeCount")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("DeviceGroupId")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("DeviceGroupName")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("FactorsJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("GroupKey")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<int>("HighEpisodeCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("LowEpisodeCount")
+                        .HasColumnType("integer");
+
+                    b.Property<decimal>("MaxAssetRiskScore")
+                        .HasPrecision(7, 2)
+                        .HasColumnType("numeric(7,2)");
+
+                    b.Property<int>("MediumEpisodeCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("OpenEpisodeCount")
+                        .HasColumnType("integer");
+
+                    b.Property<decimal>("OverallScore")
+                        .HasPrecision(7, 2)
+                        .HasColumnType("numeric(7,2)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "GroupKey")
+                        .IsUnique();
+
+                    b.ToTable("DeviceGroupRiskScores");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.DeviceRiskScore", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CalculatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CalculationVersion")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<int>("CriticalCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid>("DeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("FactorsJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<int>("HighCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("LowCount")
+                        .HasColumnType("integer");
+
+                    b.Property<decimal>("MaxEpisodeRiskScore")
+                        .HasPrecision(7, 2)
+                        .HasColumnType("numeric(7,2)");
+
+                    b.Property<int>("MediumCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("OpenEpisodeCount")
+                        .HasColumnType("integer");
+
+                    b.Property<decimal>("OverallScore")
+                        .HasPrecision(7, 2)
+                        .HasColumnType("numeric(7,2)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeviceId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "DeviceId")
+                        .IsUnique();
+
+                    b.ToTable("DeviceRiskScores");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.DeviceRule", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AssetType")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(2048)
+                        .HasColumnType("character varying(2048)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("FilterDefinition")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("LastExecutedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("LastMatchCount")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("Operations")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<int>("Priority")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "Priority")
+                        .IsUnique();
+
+                    b.ToTable("DeviceRules");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.DeviceTag", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("DeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Value")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("DeviceId", "Key")
+                        .IsUnique();
+
+                    b.HasIndex("TenantId", "Key");
+
+                    b.ToTable("DeviceTags");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.DeviceVulnerabilityExposure", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("DeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("FirstObservedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("InstalledSoftwareId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("LastMissedRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("LastObservedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("LastSeenRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("MatchSource")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<string>("MatchedVersion")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<int>("MissingSyncCount")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer")
+                        .HasDefaultValue(0);
+
+                    b.Property<DateTimeOffset?>("ResolvedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("SoftwareProductId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeviceId");
+
+                    b.HasIndex("InstalledSoftwareId");
+
+                    b.HasIndex("SoftwareProductId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("VulnerabilityId");
+
+                    b.HasIndex("TenantId", "LastSeenRunId");
+
+                    b.HasIndex("TenantId", "Status");
+
+                    b.HasIndex("TenantId", "VulnerabilityId");
+
+                    b.HasIndex("TenantId", "DeviceId", "VulnerabilityId")
+                        .IsUnique();
+
+                    b.ToTable("DeviceVulnerabilityExposures");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.EnrichmentChangeLog", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ChangeReason")
+                        .HasMaxLength(1024)
+                        .HasColumnType("character varying(1024)");
+
+                    b.Property<DateTimeOffset>("ChangedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<decimal?>("Confidence")
+                        .HasPrecision(6, 4)
+                        .HasColumnType("numeric(6,4)");
+
+                    b.Property<string>("DisplayName")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid?>("EnrichmentJobId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("EnrichmentRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("EntityId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("EntityType")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("FieldPath")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NewValueJson")
+                        .HasColumnType("text");
+
+                    b.Property<string>("OldValueJson")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<Guid?>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ValueKind")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("EnrichmentJobId");
+
+                    b.HasIndex("EnrichmentRunId");
+
+                    b.HasIndex("Scope", "TenantId", "SourceKey", "ChangedAt");
+
+                    b.HasIndex("Scope", "TenantId", "EntityType", "EntityId", "ChangedAt");
+
+                    b.ToTable("EnrichmentChangeLog", null, t =>
+                        {
+                            t.HasCheckConstraint("CK_EnrichmentChangeLog_Scope_TenantId", "(\"Scope\" = 'Global' AND \"TenantId\" IS NULL) OR (\"Scope\" = 'Tenant' AND \"TenantId\" IS NOT NULL)");
+                        });
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.EnrichmentJob", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("Attempts")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalKey")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTimeOffset?>("LastCompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LastError")
+                        .IsRequired()
+                        .HasMaxLength(1024)
+                        .HasColumnType("character varying(1024)");
+
+                    b.Property<DateTimeOffset?>("LastStartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("LeaseExpiresAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LeaseOwner")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTimeOffset>("NextAttemptAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("Priority")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TargetId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("TargetModel")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("SourceKey", "Status", "NextAttemptAt");
+
+                    b.HasIndex("SourceKey", "TargetModel", "TargetId")
+                        .IsUnique();
+
+                    b.ToTable("EnrichmentJobs");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.EnrichmentRun", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("JobsClaimed")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("JobsFailed")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("JobsNoData")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("JobsRetried")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("JobsSucceeded")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("LastError")
+                        .IsRequired()
+                        .HasMaxLength(1024)
+                        .HasColumnType("character varying(1024)");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTimeOffset>("StartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SourceKey");
+
+                    b.HasIndex("StartedAt");
+
+                    b.ToTable("EnrichmentRun", (string)null);
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.EnrichmentSourceConfiguration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActiveEnrichmentRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiBaseUrl")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("DisplayName")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTimeOffset?>("LastCompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LastError")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<DateTimeOffset?>("LastStartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LastStatus")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<DateTimeOffset?>("LastSucceededAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("LeaseAcquiredAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("LeaseExpiresAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("OptionsJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<int?>("RefreshTtlHours")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("SecretRef")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<Guid?>("StoredCredentialId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Targets")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ActiveEnrichmentRunId");
+
+                    b.HasIndex("SourceKey")
+                        .IsUnique();
+
+                    b.HasIndex("StoredCredentialId");
+
+                    b.ToTable("EnrichmentSourceConfigurations");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ExecutiveDashboardBriefing", b =>
+                {
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Content")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("GeneratedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("HighCriticalAppearedCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("ResolvedCount")
+                        .HasColumnType("integer");
+
+                    b.Property<bool>("UsedAi")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTimeOffset>("WindowEndedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("WindowStartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("TenantId");
+
+                    b.ToTable("ExecutiveDashboardBriefings");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ExposureAssessment", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("BaseCvss")
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<DateTimeOffset>("CalculatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("DeviceVulnerabilityExposureId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("EnvironmentalCvss")
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<string>("Reason")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<Guid?>("SecurityProfileId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeviceVulnerabilityExposureId");
+
+                    b.HasIndex("SecurityProfileId");
+
+                    b.HasIndex("TenantId", "DeviceVulnerabilityExposureId")
+                        .IsUnique();
+
+                    b.ToTable("ExposureAssessments");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ExposureEpisode", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("ClosedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("DeviceVulnerabilityExposureId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("EpisodeNumber")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTimeOffset>("FirstSeenAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("LastSeenAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeviceVulnerabilityExposureId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "DeviceVulnerabilityExposureId", "EpisodeNumber")
+                        .IsUnique();
+
+                    b.ToTable("ExposureEpisodes");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.FeatureFlagOverride", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("ExpiresAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("FlagName")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("IsEnabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("FlagName", "TenantId");
+
+                    b.HasIndex("FlagName", "UserId");
+
+                    b.ToTable("FeatureFlagOverrides", null, t =>
+                        {
+                            t.HasCheckConstraint("CK_FeatureFlagOverrides_OneTarget", "(\"TenantId\" IS NOT NULL AND \"UserId\" IS NULL) OR (\"TenantId\" IS NULL AND \"UserId\" IS NOT NULL)");
+                        });
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.IngestionCheckpoint", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("BatchNumber")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("CursorJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("IngestionRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("LastCommittedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Phase")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<int>("RecordsCommitted")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("IngestionRunId");
+
+                    b.HasIndex("IngestionRunId", "Phase")
+                        .IsUnique();
+
+                    b.HasIndex("TenantId", "SourceKey", "Phase");
+
+                    b.ToTable("IngestionCheckpoints");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.IngestionRun", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("AbortRequestedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("DeactivatedMachineCount")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Error")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<int>("PersistedMachineCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("PersistedSoftwareCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("PersistedVulnerabilityCount")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<int>("StagedMachineCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("StagedSoftwareCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("StagedVulnerabilityCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTimeOffset>("StartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId", "SourceKey", "StartedAt");
+
+                    b.ToTable("IngestionRuns");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.IngestionSnapshot", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("IngestionRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId", "SourceKey", "Status");
+
+                    b.ToTable("IngestionSnapshots");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.InstalledSoftware", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("DeviceId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("FirstSeenAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("LastMissedRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("LastSeenAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("LastSeenRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("MissingSyncCount")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer")
+                        .HasDefaultValue(0);
+
+                    b.Property<Guid>("SoftwareProductId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SourceSystemId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Version")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeviceId");
+
+                    b.HasIndex("SoftwareProductId");
+
+                    b.HasIndex("SourceSystemId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "LastSeenRunId");
+
+                    b.HasIndex("TenantId", "SoftwareProductId");
+
+                    b.HasIndex("TenantId", "LastSeenRunId", "SoftwareProductId")
+                        .HasDatabaseName("IX_InstalledSoftware_TenantId_LastSeenRunId_SoftwareProductId");
+
+                    b.HasIndex("TenantId", "DeviceId", "SoftwareProductId", "SourceSystemId", "Version")
+                        .IsUnique();
+
+                    b.ToTable("InstalledSoftware");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.Notification", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Body")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("ReadAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("RelatedEntityId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("RelatedEntityType")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTimeOffset>("SentAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Title")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("UserId");
+
+                    b.ToTable("Notifications");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.NvdCveCache", b =>
+                {
+                    b.Property<string>("CveId")
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<DateTimeOffset>("CachedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ConfigurationsJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<decimal?>("CvssScore")
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<string>("CvssVector")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("Description")
+                        .IsRequired()
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("text")
+                        .HasDefaultValue("");
+
+                    b.Property<DateTimeOffset>("FeedLastModified")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("PublishedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ReferencesJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.HasKey("CveId");
+
+                    b.HasIndex("FeedLastModified");
+
+                    b.HasIndex("PublishedDate");
+
+                    b.ToTable("NvdCveCache");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.NvdFeedCheckpoint", b =>
+                {
+                    b.Property<string>("FeedName")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset>("FeedLastModified")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("SyncedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("FeedName");
+
+                    b.ToTable("NvdFeedCheckpoints");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.OrganizationalSeverity", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("AdjustedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("AdjustedBy")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AdjustedSeverity")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("AssetCriticalityFactor")
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("CompensatingControls")
+                        .HasMaxLength(1024)
+                        .HasColumnType("character varying(1024)");
+
+                    b.Property<string>("ExposureFactor")
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("Justification")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("VulnerabilityId");
+
+                    b.HasIndex("TenantId", "VulnerabilityId")
+                        .IsUnique();
+
+                    b.ToTable("OrganizationalSeverities");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.PatchingTask", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("DueDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("OwnerTeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RemediationCaseId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RemediationDecisionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("RemediationWorkflowId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OwnerTeamId");
+
+                    b.HasIndex("RemediationCaseId");
+
+                    b.HasIndex("RemediationDecisionId");
+
+                    b.HasIndex("RemediationWorkflowId");
+
+                    b.HasIndex("Status");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "RemediationCaseId", "Status");
+
+                    b.ToTable("PatchingTasks");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationCase", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("ClosedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("SoftwareProductId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("ThreatIntelGeneratedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ThreatIntelProfileName")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ThreatIntelSummary")
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SoftwareProductId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "SoftwareProductId")
+                        .IsUnique();
+
+                    b.ToTable("RemediationCases", (string)null);
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationDecision", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApprovalStatus")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset?>("ApprovedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ApprovedBy")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("DecidedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("DecidedBy")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("ExpiryDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Justification")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("LastSlaNotifiedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("MaintenanceWindowDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Outcome")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset?>("ReEvaluationDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("RemediationCaseId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("RemediationWorkflowId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ApprovalStatus");
+
+                    b.HasIndex("RemediationCaseId");
+
+                    b.HasIndex("RemediationWorkflowId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "RemediationCaseId", "ApprovalStatus");
+
+                    b.ToTable("RemediationDecisions");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationDecisionVulnerabilityOverride", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Justification")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Outcome")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("RemediationDecisionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("VulnerabilityId");
+
+                    b.HasIndex("RemediationDecisionId", "VulnerabilityId")
+                        .IsUnique();
+
+                    b.ToTable("RemediationDecisionVulnerabilityOverrides");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationWorkflow", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApprovalMode")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset?>("CancelledAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CurrentStage")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset>("CurrentStageStartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Priority")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ProposedOutcome")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid?>("RecurrenceSourceWorkflowId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("RemediationCaseId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SoftwareOwnerTeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RecurrenceSourceWorkflowId");
+
+                    b.HasIndex("RemediationCaseId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "RemediationCaseId")
+                        .IsUnique()
+                        .HasDatabaseName("IX_RemediationWorkflows_ActivePerCase")
+                        .HasFilter("\"Status\" = 'Active'");
+
+                    b.HasIndex("TenantId", "RemediationCaseId", "Status");
+
+                    b.ToTable("RemediationWorkflows");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationWorkflowStageRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AssignedRole")
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid?>("AssignedTeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("CompletedByUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("RemediationWorkflowId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Stage")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset>("StartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("Summary")
+                        .HasColumnType("text");
+
+                    b.Property<bool>("SystemCompleted")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("RemediationWorkflowId", "Stage");
+
+                    b.HasIndex("TenantId", "RemediationWorkflowId");
+
+                    b.ToTable("RemediationWorkflowStageRecords");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RiskAcceptance", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("ApprovedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("ApprovedBy")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Conditions")
+                        .HasMaxLength(2048)
+                        .HasColumnType("character varying(2048)");
+
+                    b.Property<DateTimeOffset?>("ExpiryDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Justification")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("NextReviewDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("RemediationCaseId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("RequestedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("RequestedBy")
+                        .HasColumnType("uuid");
+
+                    b.Property<int?>("ReviewFrequency")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RemediationCaseId");
+
+                    b.HasIndex("Status");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "RemediationCaseId", "Status");
+
+                    b.ToTable("RiskAcceptances");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SecurityProfile", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AvailabilityRequirement")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ConfidentialityRequirement")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(2048)
+                        .HasColumnType("character varying(2048)");
+
+                    b.Property<string>("EnvironmentClass")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("IntegrityRequirement")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("InternetReachability")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ModifiedAttackComplexity")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ModifiedAttackVector")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ModifiedAvailabilityImpact")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ModifiedConfidentialityImpact")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ModifiedIntegrityImpact")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ModifiedPrivilegesRequired")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ModifiedScope")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ModifiedUserInteraction")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "Name")
+                        .IsUnique();
+
+                    b.ToTable("SecurityProfiles");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SentinelConnectorConfiguration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("DceEndpoint")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("DcrImmutableId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<Guid?>("StoredCredentialId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("StreamName")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("StoredCredentialId");
+
+                    b.ToTable("SentinelConnectorConfigurations");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareAlias", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("ObservedName")
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("ObservedVendor")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("SoftwareProductId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SourceSystemId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SoftwareProductId");
+
+                    b.HasIndex("SourceSystemId", "ExternalId")
+                        .IsUnique();
+
+                    b.ToTable("SoftwareAliases");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareCpeBinding", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("BindingMethod")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("Confidence")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<string>("Cpe23Uri")
+                        .IsRequired()
+                        .HasMaxLength(2048)
+                        .HasColumnType("character varying(2048)");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("LastValidatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("MatchedProduct")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("MatchedVendor")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("MatchedVersion")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("SoftwareProductId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SoftwareProductId")
+                        .IsUnique();
+
+                    b.ToTable("SoftwareCpeBindings");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareDescriptionJob", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Error")
+                        .IsRequired()
+                        .HasMaxLength(2048)
+                        .HasColumnType("character varying(2048)");
+
+                    b.Property<DateTimeOffset>("RequestedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("SoftwareProductId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("StartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<Guid?>("TenantAiProfileId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "SoftwareProductId", "Status");
+
+                    b.ToTable("SoftwareDescriptionJobs");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareProduct", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("CanonicalProductKey")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("Category")
+                        .HasColumnType("text");
+
+                    b.Property<int>("Confidence")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("DescriptionGeneratedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DescriptionModel")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DescriptionProfileName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("DescriptionProviderType")
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("EndOfLifeAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("EolDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("EolEnrichedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool?>("EolIsDiscontinued")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool?>("EolIsLts")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("EolLatestVersion")
+                        .HasColumnType("text");
+
+                    b.Property<string>("EolProductSlug")
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("EolSupportEndDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("LastEvaluatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<int>("NormalizationMethod")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("PrimaryCpe23Uri")
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<int?>("SupplyChainAffectedVulnerabilityCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTimeOffset?>("SupplyChainEnrichedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SupplyChainFixedVersion")
+                        .HasColumnType("text");
+
+                    b.Property<int>("SupplyChainInsightConfidence")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("SupplyChainPrimaryComponentName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("SupplyChainPrimaryComponentVersion")
+                        .HasColumnType("text");
+
+                    b.Property<int>("SupplyChainRemediationPath")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("SupplyChainSourceFormat")
+                        .HasColumnType("text");
+
+                    b.Property<string>("SupplyChainSummary")
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Vendor")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("CanonicalProductKey")
+                        .IsUnique();
+
+                    b.ToTable("SoftwareProducts");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareProductAlias", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AliasConfidence")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ExternalSoftwareId")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("MatchReason")
+                        .IsRequired()
+                        .HasMaxLength(1024)
+                        .HasColumnType("character varying(1024)");
+
+                    b.Property<string>("RawName")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("RawVendor")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("RawVersion")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("SoftwareProductId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("SourceSystem")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SoftwareProductId");
+
+                    b.HasIndex("SourceSystem", "ExternalSoftwareId")
+                        .IsUnique();
+
+                    b.ToTable("SoftwareProductAliases");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareProductInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("CurrentEpisodeNumber")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("DetectedVersion")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("DeviceAssetId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("FirstSeenAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("IsActive")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTimeOffset>("LastSeenAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("RemovedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("SnapshotId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SoftwareAssetId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("SourceSystem")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantSoftwareId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("DeviceAssetId");
+
+                    b.HasIndex("SnapshotId");
+
+                    b.HasIndex("SoftwareAssetId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantSoftwareId");
+
+                    b.HasIndex("TenantId", "SnapshotId", "SoftwareAssetId", "DeviceAssetId")
+                        .IsUnique();
+
+                    b.HasIndex("TenantId", "SnapshotId", "TenantSoftwareId", "DetectedVersion", "LastSeenAt");
+
+                    b.ToTable("SoftwareProductInstallations");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareRiskScore", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AffectedDeviceCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTimeOffset>("CalculatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CalculationVersion")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<int>("CriticalExposureCount")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("FactorsJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<int>("HighExposureCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("LowExposureCount")
+                        .HasColumnType("integer");
+
+                    b.Property<decimal>("MaxExposureScore")
+                        .HasPrecision(7, 2)
+                        .HasColumnType("numeric(7,2)");
+
+                    b.Property<int>("MediumExposureCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("OpenExposureCount")
+                        .HasColumnType("integer");
+
+                    b.Property<decimal>("OverallScore")
+                        .HasPrecision(7, 2)
+                        .HasColumnType("numeric(7,2)");
+
+                    b.Property<Guid>("SoftwareProductId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SoftwareProductId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "SoftwareProductId")
+                        .IsUnique();
+
+                    b.ToTable("SoftwareRiskScores");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareTenantRecord", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("FirstSeenAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("LastSeenAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("OwnerTeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("OwnerTeamRuleId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("RemediationAiAnalystAssessmentContent")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("RemediationAiExceptionRecommendationContent")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("RemediationAiOwnerRecommendationContent")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("RemediationAiRecommendedOutcome")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("RemediationAiRecommendedPriority")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("RemediationAiReviewStatus")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("RemediationAiReviewedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("RemediationAiReviewedBy")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("RemediationAiSummaryContent")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset?>("RemediationAiSummaryGeneratedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("RemediationAiSummaryInputHash")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("RemediationAiSummaryModel")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("RemediationAiSummaryProfileName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("RemediationAiSummaryProviderType")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<Guid?>("SnapshotId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("SoftwareProductId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("OwnerTeamId");
+
+                    b.HasIndex("SnapshotId");
+
+                    b.HasIndex("SoftwareProductId");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "SnapshotId", "SoftwareProductId")
+                        .IsUnique();
+
+                    b.ToTable("SoftwareTenantRecords");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SourceSystem", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DisplayName")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("Key")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Key")
+                        .IsUnique();
+
+                    b.ToTable("SourceSystems");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.StagedCloudApplication", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExternalId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("IngestionRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("PayloadJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTimeOffset>("StagedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("IngestionRunId");
+
+                    b.HasIndex("TenantId", "SourceKey", "ExternalId");
+
+                    b.ToTable("StagedCloudApplications", (string)null);
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.StagedDevice", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AssetType")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<int>("BatchNumber")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("ExternalId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("IngestionRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("PayloadJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTimeOffset>("StagedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("IngestionRunId");
+
+                    b.HasIndex("IngestionRunId", "BatchNumber");
+
+                    b.HasIndex("TenantId", "SourceKey", "ExternalId");
+
+                    b.ToTable("StagedDevices", (string)null);
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.StagedDeviceSoftwareInstallation", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("BatchNumber")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("DeviceExternalId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("IngestionRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("ObservedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("PayloadJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("SoftwareExternalId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTimeOffset>("StagedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("IngestionRunId");
+
+                    b.HasIndex("IngestionRunId", "BatchNumber");
+
+                    b.HasIndex("TenantId", "SourceKey", "DeviceExternalId", "SoftwareExternalId");
+
+                    b.ToTable("StagedDeviceSoftwareInstallations");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.StagedVulnerability", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("BatchNumber")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("ExternalId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("IngestionRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PayloadJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTimeOffset>("StagedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Title")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("VendorSeverity")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("IngestionRunId");
+
+                    b.HasIndex("IngestionRunId", "BatchNumber");
+
+                    b.HasIndex("TenantId", "SourceKey", "ExternalId");
+
+                    b.HasIndex("IngestionRunId", "TenantId", "SourceKey", "Id");
+
+                    b.ToTable("StagedVulnerabilities");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.StagedVulnerabilityExposure", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AssetExternalId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("AssetName")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("AssetType")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<int>("BatchNumber")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid>("IngestionRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("PayloadJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTimeOffset>("StagedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("VulnerabilityExternalId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("IngestionRunId");
+
+                    b.HasIndex("IngestionRunId", "BatchNumber");
+
+                    b.HasIndex("TenantId", "SourceKey", "VulnerabilityExternalId", "AssetExternalId");
+
+                    b.HasIndex("IngestionRunId", "TenantId", "SourceKey", "VulnerabilityExternalId", "AssetExternalId");
+
+                    b.ToTable("StagedVulnerabilityExposures");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.StoredCredential", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CredentialTenantId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("IsGlobal")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(160)
+                        .HasColumnType("character varying(160)");
+
+                    b.Property<string>("SecretRef")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("Type")
+                        .IsRequired()
+                        .HasMaxLength(80)
+                        .HasColumnType("character varying(80)");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("IsGlobal");
+
+                    b.HasIndex("Type");
+
+                    b.ToTable("StoredCredentials");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.StoredCredentialTenant", b =>
+                {
+                    b.Property<Guid>("StoredCredentialId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("StoredCredentialId", "TenantId");
+
+                    b.HasIndex("TenantId");
+
+                    b.ToTable("StoredCredentialTenants");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.Team", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("IsDefault")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(false);
+
+                    b.Property<bool>("IsDynamic")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(false);
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId", "Name")
+                        .IsUnique();
+
+                    b.ToTable("Teams");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TeamMember", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("UserId");
+
+                    b.HasIndex("TeamId", "UserId")
+                        .IsUnique();
+
+                    b.ToTable("TeamMembers");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TeamMembershipRule", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("FilterDefinition")
+                        .IsRequired()
+                        .HasColumnType("jsonb");
+
+                    b.Property<DateTimeOffset?>("LastExecutedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int?>("LastMatchCount")
+                        .HasColumnType("integer");
+
+                    b.Property<Guid>("TeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TeamId")
+                        .IsUnique();
+
+                    b.HasIndex("TenantId");
+
+                    b.ToTable("TeamMembershipRules");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TeamRiskScore", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssetCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTimeOffset>("CalculatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CalculationVersion")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<int>("CriticalEpisodeCount")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("FactorsJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<int>("HighEpisodeCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("LowEpisodeCount")
+                        .HasColumnType("integer");
+
+                    b.Property<decimal>("MaxAssetRiskScore")
+                        .HasPrecision(7, 2)
+                        .HasColumnType("numeric(7,2)");
+
+                    b.Property<int>("MediumEpisodeCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("OpenEpisodeCount")
+                        .HasColumnType("integer");
+
+                    b.Property<decimal>("OverallScore")
+                        .HasPrecision(7, 2)
+                        .HasColumnType("numeric(7,2)");
+
+                    b.Property<Guid>("TeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TeamId")
+                        .IsUnique();
+
+                    b.HasIndex("TenantId");
+
+                    b.ToTable("TeamRiskScores");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.Tenant", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("EntraTenantId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("IsPendingDeletion")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("IsPrimary")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("EntraTenantId")
+                        .IsUnique();
+
+                    b.ToTable("Tenants");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TenantAiProfile", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("AllowExternalResearch")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("AllowedDomains")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ApiVersion")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<string>("BaseUrl")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("DeploymentName")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("IncludeCitations")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("IsDefault")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("IsEnabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("KeepAlive")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<DateTimeOffset?>("LastValidatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LastValidationError")
+                        .IsRequired()
+                        .HasMaxLength(1024)
+                        .HasColumnType("character varying(1024)");
+
+                    b.Property<string>("LastValidationStatus")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<int>("MaxOutputTokens")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("MaxResearchSources")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Model")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<int?>("NumCtx")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("ProviderType")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("ResearchSourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("ResponseFormat")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<string>("SecretRef")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("SystemPrompt")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<decimal>("Temperature")
+                        .HasPrecision(4, 2)
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("TimeoutSeconds")
+                        .HasColumnType("integer");
+
+                    b.Property<decimal?>("TopP")
+                        .HasPrecision(4, 2)
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("WebResearchMode")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "Name")
+                        .IsUnique();
+
+                    b.ToTable("TenantAiProfiles");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TenantDeletionJob", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Error")
+                        .HasMaxLength(2048)
+                        .HasColumnType("character varying(2048)");
+
+                    b.Property<Guid>("RequestedByUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("StartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Status");
+
+                    b.HasIndex("TenantId")
+                        .IsUnique();
+
+                    b.ToTable("TenantDeletionJobs");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TenantRiskScoreSnapshot", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("AssetCount")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("CriticalAssetCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateOnly>("Date")
+                        .HasColumnType("date");
+
+                    b.Property<int>("HighAssetCount")
+                        .HasColumnType("integer");
+
+                    b.Property<decimal>("OverallScore")
+                        .HasPrecision(7, 2)
+                        .HasColumnType("numeric(7,2)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("TenantId", "Date")
+                        .IsUnique();
+
+                    b.ToTable("TenantRiskScoreSnapshots");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TenantSlaConfiguration", b =>
+                {
+                    b.Property<Guid>("TenantId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("ApprovalExpiryHours")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("CriticalDays")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("HighDays")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("LowDays")
+                        .HasColumnType("integer");
+
+                    b.Property<int>("MediumDays")
+                        .HasColumnType("integer");
+
+                    b.HasKey("TenantId");
+
+                    b.ToTable("TenantSlaConfigurations");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TenantSoftwareProductInsight", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(4096)
+                        .HasColumnType("character varying(4096)");
+
+                    b.Property<Guid>("SoftwareProductId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("SupplyChainEvidenceJson")
+                        .HasColumnType("text");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SoftwareProductId");
+
+                    b.HasIndex("TenantId", "SoftwareProductId")
+                        .IsUnique();
+
+                    b.ToTable("TenantSoftwareProductInsights");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TenantSourceConfiguration", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActiveIngestionRunId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("ActiveSnapshotId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ApiBaseUrl")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<Guid?>("BuildingSnapshotId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ClientId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("CredentialTenantId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("DisplayName")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("Enabled")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTimeOffset?>("LastCompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LastError")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<DateTimeOffset?>("LastStartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LastStatus")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<DateTimeOffset?>("LastSucceededAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("LeaseAcquiredAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("LeaseExpiresAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("LinkedSourceKey")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTimeOffset?>("ManualRequestedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("SecretRef")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("SourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<Guid?>("StoredCredentialId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("SyncSchedule")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("TokenScope")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ActiveSnapshotId");
+
+                    b.HasIndex("BuildingSnapshotId");
+
+                    b.HasIndex("StoredCredentialId");
+
+                    b.HasIndex("TenantId", "SourceKey")
+                        .IsUnique();
+
+                    b.ToTable("TenantSourceConfigurations");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ThreatAssessment", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("ActiveAlert")
+                        .HasColumnType("boolean");
+
+                    b.Property<DateTimeOffset>("CalculatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CalculationVersion")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset?>("DefenderLastRefreshedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<decimal?>("EpssScore")
+                        .HasColumnType("numeric(5,4)");
+
+                    b.Property<decimal>("ExploitLikelihoodScore")
+                        .HasColumnType("numeric(4,3)");
+
+                    b.Property<string>("FactorsJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<bool>("HasMalwareAssociation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("HasRansomwareAssociation")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("KnownExploited")
+                        .HasColumnType("boolean");
+
+                    b.Property<bool>("PublicExploit")
+                        .HasColumnType("boolean");
+
+                    b.Property<decimal>("TechnicalScore")
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<decimal>("ThreatActivityScore")
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<decimal>("ThreatScore")
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<Guid>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("VulnerabilityId")
+                        .IsUnique();
+
+                    b.ToTable("ThreatAssessments");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.User", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AccessScope")
+                        .IsRequired()
+                        .ValueGeneratedOnAdd()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)")
+                        .HasDefaultValue("Internal");
+
+                    b.Property<string>("Company")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("DisplayName")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("Email")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("EntraObjectId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<bool>("IsEnabled")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("boolean")
+                        .HasDefaultValue(true);
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Email")
+                        .IsUnique();
+
+                    b.HasIndex("EntraObjectId")
+                        .IsUnique();
+
+                    b.ToTable("Users");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.UserTenantRole", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Role")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("UserId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId");
+
+                    b.HasIndex("UserId", "TenantId", "Role")
+                        .IsUnique();
+
+                    b.ToTable("UserTenantRoles");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.Vulnerability", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<decimal?>("CvssScore")
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<string>("CvssVector")
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("Description")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("ExternalId")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<DateTimeOffset?>("PublishedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Source")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<string>("Title")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("VendorSeverity")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("ExternalId")
+                        .IsUnique();
+
+                    b.HasIndex("Source");
+
+                    b.ToTable("Vulnerabilities");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.VulnerabilityApplicability", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("CpeCriteria")
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<Guid?>("SoftwareProductId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Source")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<string>("VersionEndExcluding")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("VersionEndIncluding")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("VersionStartExcluding")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<string>("VersionStartIncluding")
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
+                    b.Property<Guid>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.Property<bool>("Vulnerable")
+                        .HasColumnType("boolean");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("SoftwareProductId");
+
+                    b.HasIndex("VulnerabilityId", "CpeCriteria");
+
+                    b.HasIndex("VulnerabilityId", "SoftwareProductId");
+
+                    b.HasIndex("VulnerabilityId", "Source");
+
+                    b.HasIndex("Vulnerable", "SoftwareProductId")
+                        .HasDatabaseName("IX_VulnerabilityApplicabilities_Vulnerable_SoftwareProductId");
+
+                    b.ToTable("VulnerabilityApplicabilities");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.VulnerabilityAssessmentJob", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Error")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTimeOffset>("RequestedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("StartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("character varying(16)");
+
+                    b.Property<Guid>("TriggerTenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .IsConcurrencyToken()
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("RequestedAt");
+
+                    b.HasIndex("Status");
+
+                    b.HasIndex("VulnerabilityId")
+                        .IsUnique();
+
+                    b.ToTable("VulnerabilityAssessmentJobs");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.VulnerabilityPatchAssessment", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("AiProfileName")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<DateTimeOffset>("AssessedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CompensatingControlsUntilPatched")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Confidence")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<string>("RawOutput")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Recommendation")
+                        .IsRequired()
+                        .HasMaxLength(2048)
+                        .HasColumnType("character varying(2048)");
+
+                    b.Property<string>("References")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("SimilarVulnerabilities")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Summary")
+                        .IsRequired()
+                        .HasMaxLength(4096)
+                        .HasColumnType("character varying(4096)");
+
+                    b.Property<string>("UrgencyReason")
+                        .IsRequired()
+                        .HasMaxLength(2048)
+                        .HasColumnType("character varying(2048)");
+
+                    b.Property<string>("UrgencyTargetSla")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("UrgencyTier")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<Guid>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("VulnerabilityId")
+                        .IsUnique();
+
+                    b.ToTable("VulnerabilityPatchAssessments");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.VulnerabilityReference", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Source")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<string>("Tags")
+                        .IsRequired()
+                        .HasMaxLength(512)
+                        .HasColumnType("character varying(512)");
+
+                    b.Property<string>("Url")
+                        .IsRequired()
+                        .HasMaxLength(2048)
+                        .HasColumnType("character varying(2048)");
+
+                    b.Property<Guid>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("VulnerabilityId", "Url")
+                        .IsUnique();
+
+                    b.ToTable("VulnerabilityReferences");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.WorkflowAction", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ActionType")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("CompletedByUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTimeOffset?>("DueAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Instructions")
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<Guid>("NodeExecutionId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("ResponseJson")
+                        .HasColumnType("jsonb");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("TeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("WorkflowInstanceId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("NodeExecutionId")
+                        .IsUnique();
+
+                    b.HasIndex("WorkflowInstanceId");
+
+                    b.HasIndex("TenantId", "TeamId", "Status");
+
+                    b.ToTable("WorkflowActions");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.WorkflowDefinition", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("CreatedBy")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Description")
+                        .HasMaxLength(2000)
+                        .HasColumnType("character varying(2000)");
+
+                    b.Property<string>("GraphJson")
+                        .IsRequired()
+                        .HasColumnType("jsonb");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("Scope")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid?>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("TriggerType")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<DateTimeOffset>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<int>("Version")
+                        .HasColumnType("integer");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("Scope", "Status");
+
+                    b.HasIndex("TenantId", "Scope", "TriggerType");
+
+                    b.ToTable("WorkflowDefinitions");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.WorkflowInstance", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ContextJson")
+                        .IsRequired()
+                        .HasColumnType("jsonb");
+
+                    b.Property<Guid?>("CreatedBy")
+                        .HasColumnType("uuid");
+
+                    b.Property<int>("DefinitionVersion")
+                        .HasColumnType("integer");
+
+                    b.Property<string>("Error")
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<DateTimeOffset>("StartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid?>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("TriggerType")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<Guid>("WorkflowDefinitionId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("TenantId", "Status");
+
+                    b.HasIndex("WorkflowDefinitionId", "Status");
+
+                    b.ToTable("WorkflowInstances");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.WorkflowNodeExecution", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid?>("AssignedTeamId")
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset?>("CompletedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid?>("CompletedByUserId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("Error")
+                        .HasMaxLength(4000)
+                        .HasColumnType("character varying(4000)");
+
+                    b.Property<string>("InputJson")
+                        .HasColumnType("jsonb");
+
+                    b.Property<string>("NodeId")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
+                    b.Property<string>("NodeType")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
+                    b.Property<string>("OutputJson")
+                        .HasColumnType("jsonb");
+
+                    b.Property<DateTimeOffset?>("StartedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Status")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("WorkflowInstanceId")
+                        .HasColumnType("uuid");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("WorkflowInstanceId", "NodeId");
+
+                    b.HasIndex("WorkflowInstanceId", "Status");
+
+                    b.ToTable("WorkflowNodeExecutions");
+                });
+
+            modelBuilder.Entity("PatchHound.Infrastructure.Data.Views.AlternateMitigationVulnId", b =>
+                {
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<Guid>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.ToTable((string)null);
+
+                    b.ToView("mv_alternate_mitigation_vuln_ids", (string)null);
+                });
+
+            modelBuilder.Entity("PatchHound.Infrastructure.Data.Views.ExposureLatestAssessment", b =>
+                {
+                    b.Property<Guid>("DeviceVulnerabilityExposureId")
+                        .HasColumnType("uuid");
+
+                    b.Property<decimal>("EnvironmentalCvss")
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.ToTable((string)null);
+
+                    b.ToView("mv_exposure_latest_assessment", (string)null);
+                });
+
+            modelBuilder.Entity("PatchHound.Infrastructure.Data.Views.OpenExposureVulnSummary", b =>
+                {
+                    b.Property<int>("AffectedDeviceCount")
+                        .HasColumnType("integer");
+
+                    b.Property<DateTimeOffset>("LatestSeenAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<decimal?>("MaxCvss")
+                        .HasColumnType("numeric(4,2)");
+
+                    b.Property<DateTimeOffset?>("PublishedDate")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<Guid>("TenantId")
+                        .HasColumnType("uuid");
+
+                    b.Property<string>("VendorSeverity")
+                        .IsRequired()
+                        .HasMaxLength(32)
+                        .HasColumnType("character varying(32)");
+
+                    b.Property<Guid>("VulnerabilityId")
+                        .HasColumnType("uuid");
+
+                    b.ToTable((string)null);
+
+                    b.ToView("mv_open_exposure_vuln_summary", (string)null);
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AIReport", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.RemediationCase", "RemediationCase")
+                        .WithMany()
+                        .HasForeignKey("RemediationCaseId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.TenantAiProfile", "TenantAiProfile")
+                        .WithMany()
+                        .HasForeignKey("TenantAiProfileId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.Vulnerability", "Vulnerability")
+                        .WithMany()
+                        .HasForeignKey("VulnerabilityId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.Navigation("RemediationCase");
+
+                    b.Navigation("TenantAiProfile");
+
+                    b.Navigation("Vulnerability");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.AnalystRecommendation", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.RemediationCase", "RemediationCase")
+                        .WithMany()
+                        .HasForeignKey("RemediationCaseId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.RemediationWorkflow", "RemediationWorkflow")
+                        .WithMany()
+                        .HasForeignKey("RemediationWorkflowId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.Navigation("RemediationCase");
+
+                    b.Navigation("RemediationWorkflow");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ApprovalTask", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.RemediationCase", "RemediationCase")
+                        .WithMany()
+                        .HasForeignKey("RemediationCaseId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.RemediationDecision", "RemediationDecision")
+                        .WithMany()
+                        .HasForeignKey("RemediationDecisionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.RemediationWorkflow", "RemediationWorkflow")
+                        .WithMany()
+                        .HasForeignKey("RemediationWorkflowId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.Navigation("RemediationCase");
+
+                    b.Navigation("RemediationDecision");
+
+                    b.Navigation("RemediationWorkflow");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ApprovalTaskVisibleRole", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.ApprovalTask", "ApprovalTask")
+                        .WithMany("VisibleRoles")
+                        .HasForeignKey("ApprovalTaskId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("ApprovalTask");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ApprovedVulnerabilityRemediation", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.RemediationCase", "RemediationCase")
+                        .WithMany()
+                        .HasForeignKey("RemediationCaseId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.RemediationDecision", "RemediationDecision")
+                        .WithMany()
+                        .HasForeignKey("RemediationDecisionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.Vulnerability", "Vulnerability")
+                        .WithMany()
+                        .HasForeignKey("VulnerabilityId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.Navigation("RemediationCase");
+
+                    b.Navigation("RemediationDecision");
+
+                    b.Navigation("Vulnerability");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.CloudApplicationCredentialMetadata", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.CloudApplication", "Application")
+                        .WithMany("Credentials")
+                        .HasForeignKey("CloudApplicationId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Application");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.Device", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.SourceSystem", null)
+                        .WithMany()
+                        .HasForeignKey("SourceSystemId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.DeviceBusinessLabel", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.BusinessLabel", "BusinessLabel")
+                        .WithMany()
+                        .HasForeignKey("BusinessLabelId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.Device", null)
+                        .WithMany()
+                        .HasForeignKey("DeviceId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("BusinessLabel");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.DeviceRiskScore", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Device", null)
+                        .WithMany()
+                        .HasForeignKey("DeviceId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.DeviceTag", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Device", null)
+                        .WithMany()
+                        .HasForeignKey("DeviceId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.DeviceVulnerabilityExposure", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Device", "Device")
+                        .WithMany()
+                        .HasForeignKey("DeviceId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.InstalledSoftware", "InstalledSoftware")
+                        .WithMany()
+                        .HasForeignKey("InstalledSoftwareId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.HasOne("PatchHound.Core.Entities.SoftwareProduct", "SoftwareProduct")
+                        .WithMany()
+                        .HasForeignKey("SoftwareProductId")
+                        .OnDelete(DeleteBehavior.Restrict);
+
+                    b.HasOne("PatchHound.Core.Entities.Vulnerability", "Vulnerability")
+                        .WithMany()
+                        .HasForeignKey("VulnerabilityId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.Navigation("Device");
+
+                    b.Navigation("InstalledSoftware");
+
+                    b.Navigation("SoftwareProduct");
+
+                    b.Navigation("Vulnerability");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.EnrichmentSourceConfiguration", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.StoredCredential", null)
+                        .WithMany()
+                        .HasForeignKey("StoredCredentialId")
+                        .OnDelete(DeleteBehavior.Restrict);
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ExecutiveDashboardBriefing", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Tenant", null)
+                        .WithMany()
+                        .HasForeignKey("TenantId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ExposureAssessment", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.DeviceVulnerabilityExposure", "Exposure")
+                        .WithMany()
+                        .HasForeignKey("DeviceVulnerabilityExposureId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.SecurityProfile", "SecurityProfile")
+                        .WithMany()
+                        .HasForeignKey("SecurityProfileId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.Navigation("Exposure");
+
+                    b.Navigation("SecurityProfile");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ExposureEpisode", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.DeviceVulnerabilityExposure", "Exposure")
+                        .WithMany()
+                        .HasForeignKey("DeviceVulnerabilityExposureId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Exposure");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.FeatureFlagOverride", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Tenant", "Tenant")
+                        .WithMany()
+                        .HasForeignKey("TenantId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("PatchHound.Core.Entities.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("Tenant");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.InstalledSoftware", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Device", null)
+                        .WithMany()
+                        .HasForeignKey("DeviceId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.SoftwareProduct", null)
+                        .WithMany()
+                        .HasForeignKey("SoftwareProductId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.SourceSystem", null)
+                        .WithMany()
+                        .HasForeignKey("SourceSystemId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.OrganizationalSeverity", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Vulnerability", "Vulnerability")
+                        .WithMany()
+                        .HasForeignKey("VulnerabilityId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Vulnerability");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.PatchingTask", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.RemediationCase", "RemediationCase")
+                        .WithMany()
+                        .HasForeignKey("RemediationCaseId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.RemediationDecision", "RemediationDecision")
+                        .WithMany()
+                        .HasForeignKey("RemediationDecisionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.RemediationWorkflow", "RemediationWorkflow")
+                        .WithMany()
+                        .HasForeignKey("RemediationWorkflowId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.Navigation("RemediationCase");
+
+                    b.Navigation("RemediationDecision");
+
+                    b.Navigation("RemediationWorkflow");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationCase", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.SoftwareProduct", "SoftwareProduct")
+                        .WithMany()
+                        .HasForeignKey("SoftwareProductId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.Navigation("SoftwareProduct");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationDecision", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.RemediationCase", "RemediationCase")
+                        .WithMany()
+                        .HasForeignKey("RemediationCaseId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.RemediationWorkflow", "RemediationWorkflow")
+                        .WithMany()
+                        .HasForeignKey("RemediationWorkflowId")
+                        .OnDelete(DeleteBehavior.SetNull);
+
+                    b.Navigation("RemediationCase");
+
+                    b.Navigation("RemediationWorkflow");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationDecisionVulnerabilityOverride", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.RemediationDecision", "RemediationDecision")
+                        .WithMany("VulnerabilityOverrides")
+                        .HasForeignKey("RemediationDecisionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.Vulnerability", "Vulnerability")
+                        .WithMany()
+                        .HasForeignKey("VulnerabilityId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.Navigation("RemediationDecision");
+
+                    b.Navigation("Vulnerability");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationWorkflow", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.RemediationCase", "RemediationCase")
+                        .WithMany()
+                        .HasForeignKey("RemediationCaseId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.Navigation("RemediationCase");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationWorkflowStageRecord", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.RemediationWorkflow", "Workflow")
+                        .WithMany("StageRecords")
+                        .HasForeignKey("RemediationWorkflowId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Workflow");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RiskAcceptance", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.RemediationCase", "RemediationCase")
+                        .WithMany()
+                        .HasForeignKey("RemediationCaseId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.Navigation("RemediationCase");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SentinelConnectorConfiguration", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.StoredCredential", "StoredCredential")
+                        .WithMany()
+                        .HasForeignKey("StoredCredentialId")
+                        .OnDelete(DeleteBehavior.Restrict);
+
+                    b.Navigation("StoredCredential");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareAlias", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.SoftwareProduct", null)
+                        .WithMany()
+                        .HasForeignKey("SoftwareProductId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.SourceSystem", null)
+                        .WithMany()
+                        .HasForeignKey("SourceSystemId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareCpeBinding", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.SoftwareProduct", "SoftwareProduct")
+                        .WithMany()
+                        .HasForeignKey("SoftwareProductId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SoftwareProduct");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareProductAlias", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.SoftwareProduct", "SoftwareProduct")
+                        .WithMany()
+                        .HasForeignKey("SoftwareProductId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SoftwareProduct");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareProductInstallation", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Device", "DeviceAsset")
+                        .WithMany()
+                        .HasForeignKey("DeviceAssetId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.SoftwareTenantRecord", "TenantSoftware")
+                        .WithMany()
+                        .HasForeignKey("TenantSoftwareId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("DeviceAsset");
+
+                    b.Navigation("TenantSoftware");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareRiskScore", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.SoftwareProduct", "SoftwareProduct")
+                        .WithMany()
+                        .HasForeignKey("SoftwareProductId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.Navigation("SoftwareProduct");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.SoftwareTenantRecord", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.SoftwareProduct", "SoftwareProduct")
+                        .WithMany()
+                        .HasForeignKey("SoftwareProductId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SoftwareProduct");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.StoredCredentialTenant", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.StoredCredential", "StoredCredential")
+                        .WithMany("TenantScopes")
+                        .HasForeignKey("StoredCredentialId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.Tenant", "Tenant")
+                        .WithMany()
+                        .HasForeignKey("TenantId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("StoredCredential");
+
+                    b.Navigation("Tenant");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TeamMember", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Team", "Team")
+                        .WithMany("Members")
+                        .HasForeignKey("TeamId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Team");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TeamMembershipRule", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Team", "Team")
+                        .WithOne()
+                        .HasForeignKey("PatchHound.Core.Entities.TeamMembershipRule", "TeamId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Team");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TeamRiskScore", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Team", "Team")
+                        .WithMany()
+                        .HasForeignKey("TeamId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Team");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TenantSoftwareProductInsight", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.SoftwareProduct", null)
+                        .WithMany()
+                        .HasForeignKey("SoftwareProductId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.TenantSourceConfiguration", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.StoredCredential", null)
+                        .WithMany()
+                        .HasForeignKey("StoredCredentialId")
+                        .OnDelete(DeleteBehavior.Restrict);
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ThreatAssessment", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Vulnerability", "Vulnerability")
+                        .WithMany()
+                        .HasForeignKey("VulnerabilityId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Vulnerability");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.UserTenantRole", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Tenant", "Tenant")
+                        .WithMany()
+                        .HasForeignKey("TenantId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.User", "User")
+                        .WithMany("TenantRoles")
+                        .HasForeignKey("UserId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Tenant");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.VulnerabilityApplicability", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.SoftwareProduct", "SoftwareProduct")
+                        .WithMany()
+                        .HasForeignKey("SoftwareProductId")
+                        .OnDelete(DeleteBehavior.Restrict);
+
+                    b.HasOne("PatchHound.Core.Entities.Vulnerability", "Vulnerability")
+                        .WithMany()
+                        .HasForeignKey("VulnerabilityId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("SoftwareProduct");
+
+                    b.Navigation("Vulnerability");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.VulnerabilityReference", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.Vulnerability", "Vulnerability")
+                        .WithMany()
+                        .HasForeignKey("VulnerabilityId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Vulnerability");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.WorkflowAction", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.WorkflowNodeExecution", "NodeExecution")
+                        .WithMany()
+                        .HasForeignKey("NodeExecutionId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.HasOne("PatchHound.Core.Entities.WorkflowInstance", "WorkflowInstance")
+                        .WithMany()
+                        .HasForeignKey("WorkflowInstanceId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("NodeExecution");
+
+                    b.Navigation("WorkflowInstance");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.WorkflowInstance", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.WorkflowDefinition", "WorkflowDefinition")
+                        .WithMany()
+                        .HasForeignKey("WorkflowDefinitionId")
+                        .OnDelete(DeleteBehavior.Restrict)
+                        .IsRequired();
+
+                    b.Navigation("WorkflowDefinition");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.WorkflowNodeExecution", b =>
+                {
+                    b.HasOne("PatchHound.Core.Entities.WorkflowInstance", "WorkflowInstance")
+                        .WithMany("NodeExecutions")
+                        .HasForeignKey("WorkflowInstanceId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("WorkflowInstance");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.ApprovalTask", b =>
+                {
+                    b.Navigation("VisibleRoles");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.CloudApplication", b =>
+                {
+                    b.Navigation("Credentials");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationDecision", b =>
+                {
+                    b.Navigation("VulnerabilityOverrides");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.RemediationWorkflow", b =>
+                {
+                    b.Navigation("StageRecords");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.StoredCredential", b =>
+                {
+                    b.Navigation("TenantScopes");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.Team", b =>
+                {
+                    b.Navigation("Members");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.User", b =>
+                {
+                    b.Navigation("TenantRoles");
+                });
+
+            modelBuilder.Entity("PatchHound.Core.Entities.WorkflowInstance", b =>
+                {
+                    b.Navigation("NodeExecutions");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/src/PatchHound.Infrastructure/Migrations/20260522105236_AddAiResearchSourceTargets.cs b/src/PatchHound.Infrastructure/Migrations/20260522105236_AddAiResearchSourceTargets.cs
new file mode 100644
index 00000000..bef8875e
--- /dev/null
+++ b/src/PatchHound.Infrastructure/Migrations/20260522105236_AddAiResearchSourceTargets.cs
@@ -0,0 +1,61 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace PatchHound.Infrastructure.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddAiResearchSourceTargets : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<string>(
+                name: "ResearchSourceKey",
+                table: "TenantAiProfiles",
+                type: "character varying(128)",
+                maxLength: 128,
+                nullable: false,
+                defaultValue: "");
+
+            migrationBuilder.AddColumn<string>(
+                name: "OptionsJson",
+                table: "EnrichmentSourceConfigurations",
+                type: "text",
+                nullable: false,
+                defaultValue: "");
+
+            migrationBuilder.AddColumn<string>(
+                name: "Targets",
+                table: "EnrichmentSourceConfigurations",
+                type: "character varying(256)",
+                maxLength: 256,
+                nullable: false,
+                defaultValue: "Scheduled");
+
+            migrationBuilder.Sql(
+                """
+                UPDATE "EnrichmentSourceConfigurations"
+                SET "Targets" = 'Scheduled'
+                WHERE "Targets" IS NULL OR btrim("Targets") = ''
+                """
+            );
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropColumn(
+                name: "ResearchSourceKey",
+                table: "TenantAiProfiles");
+
+            migrationBuilder.DropColumn(
+                name: "OptionsJson",
+                table: "EnrichmentSourceConfigurations");
+
+            migrationBuilder.DropColumn(
+                name: "Targets",
+                table: "EnrichmentSourceConfigurations");
+        }
+    }
+}
diff --git a/src/PatchHound.Infrastructure/Migrations/PatchHoundDbContextModelSnapshot.cs b/src/PatchHound.Infrastructure/Migrations/PatchHoundDbContextModelSnapshot.cs
index 03abd11a..bf4405e9 100644
--- a/src/PatchHound.Infrastructure/Migrations/PatchHoundDbContextModelSnapshot.cs
+++ b/src/PatchHound.Infrastructure/Migrations/PatchHoundDbContextModelSnapshot.cs
@@ -1858,6 +1858,10 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.Property<DateTimeOffset?>("LeaseExpiresAt")
                         .HasColumnType("timestamp with time zone");
 
+                    b.Property<string>("OptionsJson")
+                        .IsRequired()
+                        .HasColumnType("text");
+
                     b.Property<int?>("RefreshTtlHours")
                         .HasColumnType("integer");
 
@@ -1874,6 +1878,11 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                     b.Property<Guid?>("StoredCredentialId")
                         .HasColumnType("uuid");
 
+                    b.Property<string>("Targets")
+                        .IsRequired()
+                        .HasMaxLength(256)
+                        .HasColumnType("character varying(256)");
+
                     b.HasKey("Id");
 
                     b.HasIndex("ActiveEnrichmentRunId");
@@ -4111,6 +4120,11 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                         .HasMaxLength(32)
                         .HasColumnType("character varying(32)");
 
+                    b.Property<string>("ResearchSourceKey")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("character varying(128)");
+
                     b.Property<string>("ResponseFormat")
                         .IsRequired()
                         .HasMaxLength(16)
diff --git a/src/PatchHound.Infrastructure/Services/ExternalWebSearchResearchProvider.cs b/src/PatchHound.Infrastructure/Services/ExternalWebSearchResearchProvider.cs
index 453f0cdf..470c88eb 100644
--- a/src/PatchHound.Infrastructure/Services/ExternalWebSearchResearchProvider.cs
+++ b/src/PatchHound.Infrastructure/Services/ExternalWebSearchResearchProvider.cs
@@ -4,12 +4,14 @@
 using System.Text.RegularExpressions;
 using Microsoft.Extensions.Options;
 using PatchHound.Core.Common;
+using PatchHound.Core.Entities;
 using PatchHound.Core.Models;
 using PatchHound.Infrastructure.Options;
+using PatchHound.Infrastructure.Tenants;
 
 namespace PatchHound.Infrastructure.Services;
 
-public partial class ExternalWebSearchResearchProvider
+public partial class ExternalWebSearchResearchProvider : IAiResearchSourceProvider
 {
     private const int MaxSnippetChars = 1800;
     private const int MaxContextChars = 6000;
@@ -26,6 +28,14 @@ public ExternalWebSearchResearchProvider(
         _options = options?.Value ?? new AiResearchOptions();
     }
 
+    public string SourceKey => EnrichmentSourceCatalog.ExternalWebSearchSourceKey;
+
+    public Task<Result<AiWebResearchBundle>> ResearchAsync(
+        EnrichmentSourceConfiguration source,
+        AiWebResearchRequest request,
+        CancellationToken ct
+    ) => ResearchAsync(request, ct);
+
     public async Task<Result<AiWebResearchBundle>> ResearchAsync(
         AiWebResearchRequest request,
         CancellationToken ct
@@ -104,7 +114,7 @@ internal static string BuildSearchUrl(string query, string? provider)
         return $"https://r.jina.ai/http://{host}/search?q={Uri.EscapeDataString(query)}";
     }
 
-    private static IReadOnlyList<AiWebResearchSource> ExtractSources(string body, int maxSources)
+    internal static IReadOnlyList<AiWebResearchSource> ExtractSources(string body, int maxSources)
     {
         var results = new List<AiWebResearchSource>();
         var seen = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
@@ -208,7 +218,7 @@ CancellationToken ct
         return contexts;
     }
 
-    private static bool IsAllowedUrl(Uri uri)
+    internal static bool IsAllowedUrl(Uri uri)
     {
         if (uri.Scheme is not ("http" or "https"))
         {
@@ -286,7 +296,7 @@ private static bool IsPrivateIpv4(IPAddress address)
             || bytes[0] >= 224;
     }
 
-    private static string ExtractSourceSnippet(string body)
+    internal static string ExtractSourceSnippet(string body)
     {
         var text = body.Replace("\r", "\n");
         var lines = text
@@ -299,7 +309,7 @@ private static string ExtractSourceSnippet(string body)
         return Truncate(string.Join('\n', lines), MaxSnippetChars);
     }
 
-    private static string BuildContext(
+    internal static string BuildContext(
         string searchBody,
         IReadOnlyList<AiWebResearchSource> sources,
         IReadOnlyDictionary<string, string> sourceContexts,
@@ -340,7 +350,7 @@ bool includeCitations
         return Truncate(builder.ToString().Trim(), MaxContextChars);
     }
 
-    private static string Truncate(string value, int maxChars)
+    internal static string Truncate(string value, int maxChars)
     {
         if (value.Length <= maxChars)
         {
diff --git a/src/PatchHound.Infrastructure/Services/IAiResearchSourceProvider.cs b/src/PatchHound.Infrastructure/Services/IAiResearchSourceProvider.cs
new file mode 100644
index 00000000..642edaf7
--- /dev/null
+++ b/src/PatchHound.Infrastructure/Services/IAiResearchSourceProvider.cs
@@ -0,0 +1,16 @@
+using PatchHound.Core.Common;
+using PatchHound.Core.Entities;
+using PatchHound.Core.Models;
+
+namespace PatchHound.Infrastructure.Services;
+
+public interface IAiResearchSourceProvider
+{
+    string SourceKey { get; }
+
+    Task<Result<AiWebResearchBundle>> ResearchAsync(
+        EnrichmentSourceConfiguration source,
+        AiWebResearchRequest request,
+        CancellationToken ct
+    );
+}
diff --git a/src/PatchHound.Infrastructure/Services/JinaReaderAiResearchProvider.cs b/src/PatchHound.Infrastructure/Services/JinaReaderAiResearchProvider.cs
new file mode 100644
index 00000000..a5e219bb
--- /dev/null
+++ b/src/PatchHound.Infrastructure/Services/JinaReaderAiResearchProvider.cs
@@ -0,0 +1,270 @@
+using System.Net.Http.Headers;
+using System.Text;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Options;
+using PatchHound.Core.Common;
+using PatchHound.Core.Entities;
+using PatchHound.Core.Models;
+using PatchHound.Infrastructure.Data;
+using PatchHound.Infrastructure.Options;
+using PatchHound.Infrastructure.Secrets;
+using PatchHound.Infrastructure.Tenants;
+
+namespace PatchHound.Infrastructure.Services;
+
+public sealed class JinaReaderAiResearchProvider(
+    HttpClient httpClient,
+    PatchHoundDbContext dbContext,
+    ISecretStore secretStore,
+    IOptions<AiResearchOptions>? options = null
+) : IAiResearchSourceProvider
+{
+    private const string ExternalResearchUnavailableNote =
+        "External research was not available during the time of assessment";
+
+    public string SourceKey => EnrichmentSourceCatalog.JinaReaderSourceKey;
+
+    private readonly AiResearchOptions _options = options?.Value ?? new AiResearchOptions();
+
+    public async Task<Result<AiWebResearchBundle>> ResearchAsync(
+        EnrichmentSourceConfiguration source,
+        AiWebResearchRequest request,
+        CancellationToken ct
+    )
+    {
+        try
+        {
+            var apiKey = await ResolveApiKeyAsync(source, ct);
+            var jinaOptions = JinaReaderOptions.FromJson(source.OptionsJson).Normalize();
+            var searchUrl = BuildReaderSearchUrl(
+                source.ApiBaseUrl,
+                BuildQuery(request),
+                _options.JinaSearchProvider
+            );
+
+            var searchBody = await SendReaderRequestAsync(searchUrl, apiKey, jinaOptions, ct);
+            if (string.IsNullOrWhiteSpace(searchBody))
+            {
+                return UnavailableResult();
+            }
+
+            var sources = ExternalWebSearchResearchProvider.ExtractSources(searchBody, request.MaxSources);
+            var sourceContexts = await FetchSourceContextsAsync(
+                sources,
+                source.ApiBaseUrl,
+                apiKey,
+                jinaOptions,
+                ct
+            );
+            var context = ExternalWebSearchResearchProvider.BuildContext(
+                searchBody,
+                sources,
+                sourceContexts,
+                request.MaxSources,
+                request.IncludeCitations
+            );
+
+            context = ExternalWebSearchResearchProvider.Truncate(context, jinaOptions.MaxContentChars);
+
+            return string.IsNullOrWhiteSpace(context)
+                ? UnavailableResult()
+                : Result<AiWebResearchBundle>.Success(new AiWebResearchBundle(context, sources));
+        }
+        catch (OperationCanceledException) when (ct.IsCancellationRequested)
+        {
+            throw;
+        }
+        catch
+        {
+            return UnavailableResult();
+        }
+    }
+
+    private async Task<IReadOnlyDictionary<string, string>> FetchSourceContextsAsync(
+        IReadOnlyList<AiWebResearchSource> sources,
+        string apiBaseUrl,
+        string? apiKey,
+        JinaReaderOptions options,
+        CancellationToken ct
+    )
+    {
+        var contexts = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+
+        foreach (var source in sources)
+        {
+            if (!Uri.TryCreate(source.Url, UriKind.Absolute, out var uri)
+                || !ExternalWebSearchResearchProvider.IsAllowedUrl(uri))
+            {
+                continue;
+            }
+
+            try
+            {
+                var proxiedUrl = BuildReaderUrl(apiBaseUrl, uri);
+                var body = await SendReaderRequestAsync(proxiedUrl, apiKey, options, ct);
+                var snippet = ExternalWebSearchResearchProvider.ExtractSourceSnippet(body);
+                if (!string.IsNullOrWhiteSpace(snippet))
+                {
+                    contexts[source.Url] = ExternalWebSearchResearchProvider.Truncate(snippet, options.MaxContentChars);
+                }
+            }
+            catch
+            {
+                // Individual source fetches are best effort; the search result remains useful context.
+            }
+        }
+
+        return contexts;
+    }
+
+    private async Task<string> SendReaderRequestAsync(
+        string url,
+        string? apiKey,
+        JinaReaderOptions options,
+        CancellationToken ct
+    )
+    {
+        using var request = new HttpRequestMessage(HttpMethod.Get, url);
+        if (!string.IsNullOrWhiteSpace(apiKey))
+        {
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", apiKey);
+        }
+
+        request.Headers.TryAddWithoutValidation(
+            "X-Respond-With",
+            options.UseReaderLmV2 ? "readerlm-v2" : options.ResponseFormat
+        );
+
+        if (options.RemoveImages)
+        {
+            request.Headers.TryAddWithoutValidation("X-Remove-Selector", "img");
+        }
+
+        if (!string.IsNullOrWhiteSpace(options.TargetSelector))
+        {
+            request.Headers.TryAddWithoutValidation("X-Target-Selector", options.TargetSelector);
+        }
+
+        if (!string.IsNullOrWhiteSpace(options.ExcludeSelector))
+        {
+            request.Headers.TryAddWithoutValidation("X-Remove-Selector", options.ExcludeSelector);
+        }
+
+        if (!string.IsNullOrWhiteSpace(options.WaitForSelector))
+        {
+            request.Headers.TryAddWithoutValidation("X-Wait-For-Selector", options.WaitForSelector);
+        }
+
+        if (options.IncludeLinkSummary)
+        {
+            request.Headers.TryAddWithoutValidation("X-With-Links-Summary", "true");
+        }
+
+        if (options.IncludeImageSummary)
+        {
+            request.Headers.TryAddWithoutValidation("X-With-Images-Summary", "true");
+        }
+
+        using var timeoutCts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+        timeoutCts.CancelAfter(TimeSpan.FromSeconds(options.TimeoutSeconds));
+
+        using var response = await httpClient.SendAsync(request, timeoutCts.Token);
+        var body = await response.Content.ReadAsStringAsync(timeoutCts.Token);
+        if (!response.IsSuccessStatusCode)
+        {
+            throw new InvalidOperationException("Jina Reader research endpoint was unavailable.");
+        }
+
+        if (IsUnavailableResponseBody(body))
+        {
+            throw new InvalidOperationException("Jina Reader research endpoint returned an unavailable response.");
+        }
+
+        return body;
+    }
+
+    private static Result<AiWebResearchBundle> UnavailableResult() =>
+        Result<AiWebResearchBundle>.Success(new AiWebResearchBundle(ExternalResearchUnavailableNote, []));
+
+    private static bool IsUnavailableResponseBody(string body)
+    {
+        if (string.IsNullOrWhiteSpace(body))
+        {
+            return false;
+        }
+
+        return body.Contains("requested URL returned error", StringComparison.OrdinalIgnoreCase)
+            || body.Contains("Too Many Requests", StringComparison.OrdinalIgnoreCase)
+            || body.Contains("The requested content is not available", StringComparison.OrdinalIgnoreCase);
+    }
+
+    private async Task<string?> ResolveApiKeyAsync(
+        EnrichmentSourceConfiguration source,
+        CancellationToken ct
+    )
+    {
+        if (source.StoredCredentialId is Guid storedCredentialId)
+        {
+            var credential = await dbContext.StoredCredentials.AsNoTracking()
+                .FirstOrDefaultAsync(
+                    item => item.Id == storedCredentialId && item.IsGlobal,
+                    ct
+                );
+
+            if (credential is not null)
+            {
+                var storedApiKey = await secretStore.GetSecretAsync(credential.SecretRef, "apiKey", ct);
+                if (!string.IsNullOrWhiteSpace(storedApiKey))
+                {
+                    return storedApiKey;
+                }
+            }
+        }
+
+        return string.IsNullOrWhiteSpace(source.SecretRef)
+            ? null
+            : await secretStore.GetSecretAsync(source.SecretRef, EnrichmentSourceCatalog.GetSecretKeyName(source.SourceKey), ct);
+    }
+
+    private static string BuildQuery(AiWebResearchRequest request)
+    {
+        if (request.AllowedDomains.Count == 0)
+        {
+            return request.Query;
+        }
+
+        var builder = new StringBuilder(request.Query);
+        foreach (var domain in request.AllowedDomains)
+        {
+            builder.Append(" site:");
+            builder.Append(domain);
+        }
+
+        return builder.ToString();
+    }
+
+    private static string BuildReaderSearchUrl(
+        string apiBaseUrl,
+        string query,
+        string? provider
+    )
+    {
+        var host = provider?.Trim().ToLowerInvariant() switch
+        {
+            "bing" => "www.bing.com",
+            _ => "www.google.com",
+        };
+        var target = new Uri($"http://{host}/search?q={Uri.EscapeDataString(query)}");
+
+        return BuildReaderUrl(apiBaseUrl, target);
+    }
+
+    private static string BuildReaderUrl(string apiBaseUrl, Uri target)
+    {
+        var normalizedBaseUrl = string.IsNullOrWhiteSpace(apiBaseUrl)
+            ? EnrichmentSourceCatalog.DefaultJinaReaderApiBaseUrl
+            : apiBaseUrl.Trim();
+
+        return $"{normalizedBaseUrl.TrimEnd('/')}/{target.AbsoluteUri}";
+    }
+}
diff --git a/src/PatchHound.Infrastructure/Services/SoftwareDescriptionGenerationService.cs b/src/PatchHound.Infrastructure/Services/SoftwareDescriptionGenerationService.cs
index e3ca2b5c..bc227751 100644
--- a/src/PatchHound.Infrastructure/Services/SoftwareDescriptionGenerationService.cs
+++ b/src/PatchHound.Infrastructure/Services/SoftwareDescriptionGenerationService.cs
@@ -153,7 +153,8 @@ CancellationToken ct
                         BuildResearchQuery(identityCandidates),
                         ParseAllowedDomains(profile.AllowedDomains),
                         profile.MaxResearchSources,
-                        profile.IncludeCitations
+                        profile.IncludeCitations,
+                        ResearchSourceKey: profile.ResearchSourceKey
                     ),
                     ct
                 );
diff --git a/src/PatchHound.Infrastructure/Services/TenantAiResearchService.cs b/src/PatchHound.Infrastructure/Services/TenantAiResearchService.cs
index bd91e2da..c23e093a 100644
--- a/src/PatchHound.Infrastructure/Services/TenantAiResearchService.cs
+++ b/src/PatchHound.Infrastructure/Services/TenantAiResearchService.cs
@@ -1,13 +1,18 @@
 using PatchHound.Core.Common;
+using PatchHound.Core.Entities;
 using PatchHound.Core.Enums;
 using PatchHound.Core.Interfaces;
 using PatchHound.Core.Models;
+using PatchHound.Infrastructure.Data;
+using PatchHound.Infrastructure.Tenants;
+using Microsoft.EntityFrameworkCore;
 
 namespace PatchHound.Infrastructure.Services;
 
 public class TenantAiResearchService(
     LocalVulnerabilityIntelResearchProvider localVulnerabilityIntelProvider,
-    ExternalWebSearchResearchProvider externalWebSearchProvider
+    IEnumerable<IAiResearchSourceProvider> researchSourceProviders,
+    PatchHoundDbContext dbContext
 ) : ITenantAiResearchService
 {
     private const int MaxCombinedContextChars = 12000;
@@ -33,7 +38,7 @@ CancellationToken ct
                 AiResearchProviderKind.LocalVulnerabilityIntel =>
                     await localVulnerabilityIntelProvider.ResearchAsync(request, ct),
                 AiResearchProviderKind.ExternalWebSearch =>
-                    await externalWebSearchProvider.ResearchAsync(request, ct),
+                    await ResearchExternalAsync(request, ct),
                 _ => Result<AiWebResearchBundle>.Success(new AiWebResearchBundle(string.Empty, [])),
             };
 
@@ -71,6 +76,57 @@ await externalWebSearchProvider.ResearchAsync(request, ct),
         );
     }
 
+    private async Task<Result<AiWebResearchBundle>> ResearchExternalAsync(
+        AiWebResearchRequest request,
+        CancellationToken ct
+    )
+    {
+        var sourceKey = string.IsNullOrWhiteSpace(request.ResearchSourceKey)
+            ? EnrichmentSourceCatalog.ExternalWebSearchSourceKey
+            : request.ResearchSourceKey.Trim();
+
+        if (string.Equals(sourceKey, EnrichmentSourceCatalog.ExternalWebSearchSourceKey, StringComparison.OrdinalIgnoreCase))
+        {
+            var legacyProvider = researchSourceProviders.FirstOrDefault(
+                item => string.Equals(item.SourceKey, sourceKey, StringComparison.OrdinalIgnoreCase)
+            );
+            return legacyProvider is null
+                ? Result<AiWebResearchBundle>.Failure("Default web research provider is not registered.")
+                : await legacyProvider.ResearchAsync(
+                    EnrichmentSourceConfiguration.Create(sourceKey, "External web search", true),
+                    request,
+                    ct
+                );
+        }
+
+        var source = await dbContext.EnrichmentSourceConfigurations.AsNoTracking()
+            .FirstOrDefaultAsync(item => item.SourceKey == sourceKey, ct);
+        source ??= EnrichmentSourceCatalog.CreateDefaults()
+            .FirstOrDefault(item => string.Equals(item.SourceKey, sourceKey, StringComparison.OrdinalIgnoreCase));
+
+        if (source is null)
+        {
+            return Result<AiWebResearchBundle>.Failure("Selected research source is not configured.");
+        }
+
+        if (!string.Equals(sourceKey, EnrichmentSourceCatalog.ExternalWebSearchSourceKey, StringComparison.OrdinalIgnoreCase)
+            && (!source.Enabled || !EnrichmentSourceCatalog.HasTarget(source, EnrichmentSourceCatalog.AiResearchTarget)))
+        {
+            return Result<AiWebResearchBundle>.Failure("Selected research source is not available for AI research.");
+        }
+
+        var provider = researchSourceProviders.FirstOrDefault(
+            item => string.Equals(item.SourceKey, sourceKey, StringComparison.OrdinalIgnoreCase)
+        );
+
+        if (provider is null)
+        {
+            return Result<AiWebResearchBundle>.Failure("Selected research source has no registered provider.");
+        }
+
+        return await provider.ResearchAsync(source, request, ct);
+    }
+
     private static string Truncate(string value, int maxChars)
     {
         if (value.Length <= maxChars)
diff --git a/src/PatchHound.Infrastructure/Tenants/EnrichmentSourceCatalog.cs b/src/PatchHound.Infrastructure/Tenants/EnrichmentSourceCatalog.cs
index 56bbd999..81ddeed3 100644
--- a/src/PatchHound.Infrastructure/Tenants/EnrichmentSourceCatalog.cs
+++ b/src/PatchHound.Infrastructure/Tenants/EnrichmentSourceCatalog.cs
@@ -5,18 +5,23 @@ namespace PatchHound.Infrastructure.Tenants;
 
 public static class EnrichmentSourceCatalog
 {
+    public const string ScheduledTarget = "Scheduled";
+    public const string AiResearchTarget = "AIResearch";
     public const string NvdSourceKey = "nvd";
     public const string DefenderSourceKey = TenantSourceCatalog.DefenderSourceKey;
     public const string EndOfLifeSourceKey = "endoflife";
     public const string SupplyChainSourceKey = "supply-chain";
+    public const string JinaReaderSourceKey = "jina-reader";
+    public const string ExternalWebSearchSourceKey = "external-web-search";
     public const string DefaultNvdApiBaseUrl = "https://services.nvd.nist.gov/rest/json/cves/2.0";
     public const string DefaultEndOfLifeApiBaseUrl = "https://endoflife.date";
+    public const string DefaultJinaReaderApiBaseUrl = "https://r.jina.ai";
     public const int DefaultDefenderRefreshTtlHours = 24;
     public const int DefaultSupplyChainRefreshTtlHours = 24;
 
     public static IReadOnlyList<EnrichmentSourceConfiguration> CreateDefaults()
     {
-        return [CreateDefaultDefender(), CreateDefaultNvd(), CreateDefaultEndOfLife(), CreateDefaultSupplyChain()];
+        return [CreateDefaultDefender(), CreateDefaultNvd(), CreateDefaultEndOfLife(), CreateDefaultSupplyChain(), CreateDefaultJinaReader()];
     }
 
     public static EnrichmentSourceConfiguration CreateDefaultDefender()
@@ -26,7 +31,8 @@ public static EnrichmentSourceConfiguration CreateDefaultDefender()
             "Microsoft Defender",
             false,
             apiBaseUrl: TenantSourceCatalog.DefaultDefenderApiBaseUrl,
-            refreshTtlHours: DefaultDefenderRefreshTtlHours
+            refreshTtlHours: DefaultDefenderRefreshTtlHours,
+            targets: ScheduledTarget
         );
     }
 
@@ -36,7 +42,8 @@ public static EnrichmentSourceConfiguration CreateDefaultNvd()
             NvdSourceKey,
             "NVD API",
             false,
-            apiBaseUrl: DefaultNvdApiBaseUrl
+            apiBaseUrl: DefaultNvdApiBaseUrl,
+            targets: ScheduledTarget
         );
     }
 
@@ -46,7 +53,8 @@ public static EnrichmentSourceConfiguration CreateDefaultEndOfLife()
             EndOfLifeSourceKey,
             "Software End of Life",
             false,
-            apiBaseUrl: DefaultEndOfLifeApiBaseUrl
+            apiBaseUrl: DefaultEndOfLifeApiBaseUrl,
+            targets: ScheduledTarget
         );
     }
 
@@ -57,7 +65,20 @@ public static EnrichmentSourceConfiguration CreateDefaultSupplyChain()
             "Supply Chain Evidence",
             false,
             apiBaseUrl: string.Empty,
-            refreshTtlHours: DefaultSupplyChainRefreshTtlHours
+            refreshTtlHours: DefaultSupplyChainRefreshTtlHours,
+            targets: ScheduledTarget
+        );
+    }
+
+    public static EnrichmentSourceConfiguration CreateDefaultJinaReader()
+    {
+        return EnrichmentSourceConfiguration.Create(
+            JinaReaderSourceKey,
+            "Jina Reader",
+            false,
+            apiBaseUrl: DefaultJinaReaderApiBaseUrl,
+            targets: AiResearchTarget,
+            optionsJson: JinaReaderOptions.Default.ToJson()
         );
     }
 
@@ -68,6 +89,7 @@ public static bool HasConfiguredCredentials(EnrichmentSourceConfiguration source
             || string.Equals(source.SourceKey, NvdSourceKey, StringComparison.OrdinalIgnoreCase)
             || string.Equals(source.SourceKey, EndOfLifeSourceKey, StringComparison.OrdinalIgnoreCase)
             || string.Equals(source.SourceKey, SupplyChainSourceKey, StringComparison.OrdinalIgnoreCase)
+            || string.Equals(source.SourceKey, JinaReaderSourceKey, StringComparison.OrdinalIgnoreCase)
         )
         {
             return true;
@@ -81,12 +103,19 @@ public static bool RequiresCredentials(string sourceKey)
         return !string.Equals(sourceKey, DefenderSourceKey, StringComparison.OrdinalIgnoreCase)
             && !string.Equals(sourceKey, NvdSourceKey, StringComparison.OrdinalIgnoreCase)
             && !string.Equals(sourceKey, EndOfLifeSourceKey, StringComparison.OrdinalIgnoreCase)
-            && !string.Equals(sourceKey, SupplyChainSourceKey, StringComparison.OrdinalIgnoreCase);
+            && !string.Equals(sourceKey, SupplyChainSourceKey, StringComparison.OrdinalIgnoreCase)
+            && !string.Equals(sourceKey, JinaReaderSourceKey, StringComparison.OrdinalIgnoreCase);
+    }
+
+    public static bool SupportsOptionalCredentials(string sourceKey)
+    {
+        return string.Equals(sourceKey, JinaReaderSourceKey, StringComparison.OrdinalIgnoreCase);
     }
 
     public static string GetSecretKeyName(string sourceKey)
     {
         return string.Equals(sourceKey, NvdSourceKey, StringComparison.OrdinalIgnoreCase)
+            || string.Equals(sourceKey, JinaReaderSourceKey, StringComparison.OrdinalIgnoreCase)
             ? "apiKey"
             : "secret";
     }
@@ -99,6 +128,34 @@ public static IReadOnlyList<string> GetAcceptedCredentialTypes(string sourceKey)
         if (string.Equals(sourceKey, NvdSourceKey, StringComparison.OrdinalIgnoreCase))
             return [StoredCredentialTypes.ApiKey];
 
+        if (string.Equals(sourceKey, JinaReaderSourceKey, StringComparison.OrdinalIgnoreCase))
+            return [StoredCredentialTypes.ApiKey];
+
         return [];
     }
+
+    public static bool HasTarget(EnrichmentSourceConfiguration source, string target)
+    {
+        return ParseTargets(source.Targets)
+            .Contains(target, StringComparer.OrdinalIgnoreCase);
+    }
+
+    public static IReadOnlyList<string> ParseTargets(string? targets)
+    {
+        return (targets ?? string.Empty)
+            .Split([',', ';', '\n', '\r'], StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .ToList();
+    }
+
+    public static string NormalizeTargets(IEnumerable<string>? targets)
+    {
+        var normalized = (targets ?? [])
+            .Where(target => !string.IsNullOrWhiteSpace(target))
+            .Select(target => target.Trim())
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .ToList();
+
+        return normalized.Count == 0 ? ScheduledTarget : string.Join(",", normalized);
+    }
 }
diff --git a/src/PatchHound.Infrastructure/Tenants/JinaReaderOptions.cs b/src/PatchHound.Infrastructure/Tenants/JinaReaderOptions.cs
new file mode 100644
index 00000000..a833ac41
--- /dev/null
+++ b/src/PatchHound.Infrastructure/Tenants/JinaReaderOptions.cs
@@ -0,0 +1,62 @@
+using System.Text.Json;
+
+namespace PatchHound.Infrastructure.Tenants;
+
+public sealed record JinaReaderOptions(
+    int TimeoutSeconds,
+    int MaxContentChars,
+    string ResponseFormat,
+    bool UseReaderLmV2,
+    bool RemoveImages,
+    bool IncludeLinkSummary,
+    bool IncludeImageSummary,
+    string TargetSelector,
+    string ExcludeSelector,
+    string WaitForSelector
+)
+{
+    private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web);
+
+    public static JinaReaderOptions Default { get; } = new(
+        TimeoutSeconds: 20,
+        MaxContentChars: 8000,
+        ResponseFormat: "markdown",
+        UseReaderLmV2: false,
+        RemoveImages: true,
+        IncludeLinkSummary: true,
+        IncludeImageSummary: false,
+        TargetSelector: string.Empty,
+        ExcludeSelector: string.Empty,
+        WaitForSelector: string.Empty
+    );
+
+    public string ToJson() => JsonSerializer.Serialize(this, JsonOptions);
+
+    public static JinaReaderOptions FromJson(string? json)
+    {
+        if (string.IsNullOrWhiteSpace(json))
+        {
+            return Default;
+        }
+
+        try
+        {
+            return JsonSerializer.Deserialize<JinaReaderOptions>(json, JsonOptions) ?? Default;
+        }
+        catch (JsonException)
+        {
+            return Default;
+        }
+    }
+
+    public JinaReaderOptions Normalize() =>
+        this with
+        {
+            TimeoutSeconds = Math.Clamp(TimeoutSeconds, 3, 60),
+            MaxContentChars = Math.Clamp(MaxContentChars, 1000, 20000),
+            ResponseFormat = string.IsNullOrWhiteSpace(ResponseFormat) ? "markdown" : ResponseFormat.Trim(),
+            TargetSelector = (TargetSelector ?? string.Empty).Trim(),
+            ExcludeSelector = (ExcludeSelector ?? string.Empty).Trim(),
+            WaitForSelector = (WaitForSelector ?? string.Empty).Trim(),
+        };
+}
diff --git a/src/PatchHound.Worker/EnrichmentWorker.cs b/src/PatchHound.Worker/EnrichmentWorker.cs
index fa6046ff..396a748f 100644
--- a/src/PatchHound.Worker/EnrichmentWorker.cs
+++ b/src/PatchHound.Worker/EnrichmentWorker.cs
@@ -104,6 +104,7 @@ CancellationToken ct
             .ToListAsync(ct);
 
         return enabledSources
+            .Where(source => EnrichmentSourceCatalog.HasTarget(source, EnrichmentSourceCatalog.ScheduledTarget))
             .OrderBy(source => source.DisplayName)
             .Select(source => new EnrichmentSourceSnapshot(
                 source.Id,
diff --git a/src/PatchHound.Worker/VulnerabilityAssessmentWorker.cs b/src/PatchHound.Worker/VulnerabilityAssessmentWorker.cs
index 826d218c..edb15606 100644
--- a/src/PatchHound.Worker/VulnerabilityAssessmentWorker.cs
+++ b/src/PatchHound.Worker/VulnerabilityAssessmentWorker.cs
@@ -17,6 +17,8 @@ ILogger<VulnerabilityAssessmentWorker> logger
 ) : BackgroundService
 {
     private static readonly TimeSpan Interval = TimeSpan.FromSeconds(10);
+    private const string ExternalResearchUnavailableNote =
+        "External research was not available during the time of assessment";
 
     private const string PromptTemplate =
         "You are a security analyst responsible for prioritizing the patching of a single vulnerability. "
@@ -163,7 +165,7 @@ private async Task ProcessPendingJobAsync(CancellationToken ct)
                 vulnerability.Id,
                 parsed.Recommendation,
                 parsed.Confidence,
-                parsed.Summary,
+                ApplyExternalResearchUnavailableNote(parsed.Summary, request.ExternalContext),
                 parsed.UrgencyTier,
                 parsed.UrgencyTargetSla,
                 parsed.UrgencyReason,
@@ -388,6 +390,20 @@ private static string FormatTopLevelKeys(JsonElement root)
         return keys.Length == 0 ? "<none>" : string.Join(", ", keys);
     }
 
+    private static string ApplyExternalResearchUnavailableNote(string summary, string? externalContext)
+    {
+        if (
+            string.IsNullOrWhiteSpace(externalContext)
+            || !externalContext.Contains(ExternalResearchUnavailableNote, StringComparison.OrdinalIgnoreCase)
+            || summary.Contains(ExternalResearchUnavailableNote, StringComparison.OrdinalIgnoreCase)
+        )
+        {
+            return summary;
+        }
+
+        return $"{summary.TrimEnd()}\n{ExternalResearchUnavailableNote}";
+    }
+
     private static string NormalizeTier(string raw) =>
         raw.Trim().ToLowerInvariant() switch
         {
@@ -483,7 +499,8 @@ CancellationToken ct
                 profile.MaxResearchSources,
                 profile.IncludeCitations,
                 [vulnerabilityId],
-                providers
+                providers,
+                profile.ResearchSourceKey
             ),
             ct
         );
diff --git a/tests/PatchHound.Tests/Api/SettingsAuditControllerTests.cs b/tests/PatchHound.Tests/Api/SettingsAuditControllerTests.cs
index e597301c..409aa09d 100644
--- a/tests/PatchHound.Tests/Api/SettingsAuditControllerTests.cs
+++ b/tests/PatchHound.Tests/Api/SettingsAuditControllerTests.cs
@@ -307,6 +307,72 @@ public async Task GetEnrichmentSources_ReturnsQueueSummaryAndRecentRuns()
         dto.RecentRuns[0].JobsRetried.Should().Be(1);
     }
 
+    [Fact]
+    public async Task GetEnrichmentSources_IncludesJinaReaderAsAiResearchTool()
+    {
+        var controller = CreateSystemController();
+
+        var action = await controller.GetEnrichmentSources(CancellationToken.None);
+
+        var ok = action.Result.Should().BeOfType<OkObjectResult>().Subject;
+        var sources = ok
+            .Value.Should()
+            .BeAssignableTo<IReadOnlyList<EnrichmentSourceDto>>()
+            .Subject;
+        var dto = sources.Should().Contain(s => s.Key == EnrichmentSourceCatalog.JinaReaderSourceKey).Subject;
+        dto.Enabled.Should().BeFalse();
+        dto.CredentialMode.Should().Be("optional-global-secret");
+        dto.Targets.Should().ContainSingle().Which.Should().Be("AIResearch");
+        dto.Credentials.ApiBaseUrl.Should().Be(EnrichmentSourceCatalog.DefaultJinaReaderApiBaseUrl);
+        dto.Options.JinaReader.Should().NotBeNull();
+        dto.Options.JinaReader!.TimeoutSeconds.Should().Be(20);
+        dto.Options.JinaReader.MaxContentChars.Should().Be(8000);
+    }
+
+    [Fact]
+    public async Task UpdateEnrichmentSources_RoundTripsTargetsAndJinaOptions()
+    {
+        var controller = CreateSystemController();
+
+        var action = await controller.UpdateEnrichmentSources(
+            [
+                new UpdateEnrichmentSourceRequest(
+                    EnrichmentSourceCatalog.JinaReaderSourceKey,
+                    "Jina Reader",
+                    true,
+                    null,
+                    new UpdateEnrichmentSourceCredentialsRequest(
+                        null,
+                        string.Empty,
+                        EnrichmentSourceCatalog.DefaultJinaReaderApiBaseUrl
+                    ),
+                    ["AIResearch"],
+                    new EnrichmentSourceOptionsDto(
+                        new JinaReaderOptionsDto(
+                            30,
+                            6000,
+                            "markdown",
+                            true,
+                            true,
+                            true,
+                            false,
+                            "main",
+                            "nav, footer",
+                            ".content"
+                        )
+                    )
+                ),
+            ],
+            CancellationToken.None
+        );
+
+        action.Should().BeOfType<NoContentResult>();
+        var source = await _dbContext.EnrichmentSourceConfigurations.SingleAsync();
+        source.Targets.Should().Be("AIResearch");
+        source.OptionsJson.Should().Contain("\"timeoutSeconds\":30");
+        source.OptionsJson.Should().Contain("\"targetSelector\":\"main\"");
+    }
+
     [Fact]
     public async Task TriggerNvdModifiedSync_QueuesModifiedFeedSync()
     {
diff --git a/tests/PatchHound.Tests/Api/TenantAiProfilesControllerTests.cs b/tests/PatchHound.Tests/Api/TenantAiProfilesControllerTests.cs
index b4710e6f..cc1f2271 100644
--- a/tests/PatchHound.Tests/Api/TenantAiProfilesControllerTests.cs
+++ b/tests/PatchHound.Tests/Api/TenantAiProfilesControllerTests.cs
@@ -12,6 +12,7 @@
 using PatchHound.Infrastructure.Data;
 using PatchHound.Infrastructure.Secrets;
 using PatchHound.Infrastructure.Services;
+using PatchHound.Infrastructure.Tenants;
 using PatchHound.Tests.TestData;
 
 namespace PatchHound.Tests.Api;
@@ -205,6 +206,93 @@ public async Task Create_DefaultDisabledProfile_ReturnsBadRequest()
         (await _dbContext.TenantAiProfiles.CountAsync()).Should().Be(0);
     }
 
+    [Fact]
+    public async Task Create_ManagedExternalResearchWithoutAiSource_ReturnsBadRequest()
+    {
+        var action = await _controller.Create(
+            new SaveTenantAiProfileRequest(
+                "Default",
+                "OpenAi",
+                true,
+                true,
+                "gpt-4.1-mini",
+                "Prompt",
+                0.2m,
+                1.0m,
+                1200,
+                60,
+                "https://api.openai.com/v1",
+                "",
+                "",
+                "",
+                true,
+                "PatchHoundManaged",
+                true,
+                5,
+                "",
+                "secret-value",
+                null,
+                null,
+                ""
+            ),
+            CancellationToken.None
+        );
+
+        action.Result.Should().BeOfType<BadRequestObjectResult>();
+        (await _dbContext.TenantAiProfiles.CountAsync()).Should().Be(0);
+    }
+
+    [Fact]
+    public async Task Create_ManagedExternalResearchWithEnabledAiSource_PersistsResearchSource()
+    {
+        await _dbContext.EnrichmentSourceConfigurations.AddAsync(
+            EnrichmentSourceConfiguration.Create(
+                EnrichmentSourceCatalog.JinaReaderSourceKey,
+                "Jina Reader",
+                true,
+                apiBaseUrl: EnrichmentSourceCatalog.DefaultJinaReaderApiBaseUrl,
+                targets: "AIResearch"
+            )
+        );
+        await _dbContext.SaveChangesAsync();
+
+        var action = await _controller.Create(
+            new SaveTenantAiProfileRequest(
+                "Default",
+                "OpenAi",
+                true,
+                true,
+                "gpt-4.1-mini",
+                "Prompt",
+                0.2m,
+                1.0m,
+                1200,
+                60,
+                "https://api.openai.com/v1",
+                "",
+                "",
+                "",
+                true,
+                "PatchHoundManaged",
+                true,
+                5,
+                "",
+                "secret-value",
+                null,
+                null,
+                EnrichmentSourceCatalog.JinaReaderSourceKey
+            ),
+            CancellationToken.None
+        );
+
+        var ok = action.Result.Should().BeOfType<OkObjectResult>().Subject;
+        var dto = ok.Value.Should().BeOfType<TenantAiProfileDto>().Subject;
+        dto.ResearchSourceKey.Should().Be(EnrichmentSourceCatalog.JinaReaderSourceKey);
+
+        var profile = await _dbContext.TenantAiProfiles.SingleAsync();
+        profile.ResearchSourceKey.Should().Be(EnrichmentSourceCatalog.JinaReaderSourceKey);
+    }
+
     [Theory]
     [InlineData(0)]
     [InlineData(-1)]
diff --git a/tests/PatchHound.Tests/Infrastructure/TenantAiResearchServiceTests.cs b/tests/PatchHound.Tests/Infrastructure/TenantAiResearchServiceTests.cs
index 3b153cec..024a163b 100644
--- a/tests/PatchHound.Tests/Infrastructure/TenantAiResearchServiceTests.cs
+++ b/tests/PatchHound.Tests/Infrastructure/TenantAiResearchServiceTests.cs
@@ -4,13 +4,16 @@
 using FluentAssertions;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
+using NSubstitute;
 using PatchHound.Core.Entities;
 using PatchHound.Core.Enums;
 using PatchHound.Core.Interfaces;
 using PatchHound.Core.Models;
 using PatchHound.Infrastructure.Data;
 using PatchHound.Infrastructure.Options;
+using PatchHound.Infrastructure.Secrets;
 using PatchHound.Infrastructure.Services;
+using PatchHound.Infrastructure.Tenants;
 using PatchHound.Tests.TestData;
 
 namespace PatchHound.Tests.Infrastructure;
@@ -108,6 +111,173 @@ await service.ResearchAsync(
         handler.Requests[0].RequestUri!.ToString().Should().StartWith("https://r.jina.ai/http://www.bing.com/search?");
     }
 
+    [Fact]
+    public async Task ResearchAsync_UsesSelectedJinaReaderSourceAndSendsOptionalApiKey()
+    {
+        const string customJinaBaseUrl = "https://reader.internal";
+        var handler = new RecordingHttpMessageHandler(
+            request =>
+            {
+                if (request.RequestUri!.ToString().Contains("/search?"))
+                {
+                    return new HttpResponseMessage(HttpStatusCode.OK)
+                    {
+                        Content = new StringContent(
+                            """
+                            Title: Jina Search
+                            Markdown Content:
+                            [Vendor advisory](https://vendor.example/advisory)
+                            """,
+                            Encoding.UTF8,
+                            "text/plain"
+                        ),
+                    };
+                }
+
+                return new HttpResponseMessage(HttpStatusCode.OK)
+                {
+                    Content = new StringContent(
+                        """
+                        Title: Vendor advisory
+                        URL Source: https://vendor.example/advisory
+                        Markdown Content:
+                        Exploitation details and patch guidance.
+                        """,
+                        Encoding.UTF8,
+                        "text/plain"
+                    ),
+                };
+            }
+        );
+        await using var db = TestDbContextFactory.CreateSystemContext();
+        db.EnrichmentSourceConfigurations.Add(
+            EnrichmentSourceConfiguration.Create(
+                EnrichmentSourceCatalog.JinaReaderSourceKey,
+                "Jina Reader",
+                true,
+                "system/enrichment-sources/jina-reader",
+                customJinaBaseUrl,
+                targets: "AIResearch",
+                optionsJson: new JinaReaderOptions(
+                    20,
+                    8000,
+                    "markdown",
+                    false,
+                    true,
+                    true,
+                    true,
+                    ".article",
+                    ".ads",
+                    "#content"
+                ).ToJson()
+            )
+        );
+        await db.SaveChangesAsync();
+
+        var secretStore = Substitute.For<ISecretStore>();
+        secretStore
+            .GetSecretAsync("system/enrichment-sources/jina-reader", "apiKey", Arg.Any<CancellationToken>())
+            .Returns("jina-key");
+        var service = CreateService(db, handler, secretStore: secretStore);
+        var profile = TenantAiProfileFactory.Create(
+            Guid.NewGuid(),
+            providerType: TenantAiProviderType.Ollama,
+            allowExternalResearch: true,
+            webResearchMode: TenantAiWebResearchMode.PatchHoundManaged,
+            researchSourceKey: EnrichmentSourceCatalog.JinaReaderSourceKey
+        );
+
+        var result = await service.ResearchAsync(
+            new TenantAiProfileResolved(profile, string.Empty),
+            new AiWebResearchRequest(
+                "CVE-2026-0001",
+                [],
+                1,
+                true,
+                Providers: [AiResearchProviderKind.ExternalWebSearch],
+                ResearchSourceKey: EnrichmentSourceCatalog.JinaReaderSourceKey
+            ),
+            CancellationToken.None
+        );
+
+        result.IsSuccess.Should().BeTrue();
+        result.Value.Context.Should().Contain("Exploitation details and patch guidance.");
+        handler.Requests.Should().HaveCount(2);
+        handler.Requests[0].RequestUri!.ToString().Should().StartWith($"{customJinaBaseUrl}/http://www.google.com/search?");
+        handler.Requests[1].RequestUri!.ToString().Should().Be($"{customJinaBaseUrl}/https://vendor.example/advisory");
+        handler.Requests[0].Headers.Authorization!.Scheme.Should().Be("Bearer");
+        handler.Requests[0].Headers.Authorization!.Parameter.Should().Be("jina-key");
+        handler.Requests[0].Headers.GetValues("X-Respond-With").Should().ContainSingle().Which.Should().Be("markdown");
+        handler.Requests[0].Headers.GetValues("X-With-Links-Summary").Should().ContainSingle().Which.Should().Be("true");
+        handler.Requests[0].Headers.GetValues("X-With-Images-Summary").Should().ContainSingle().Which.Should().Be("true");
+        handler.Requests[0].Headers.GetValues("X-Target-Selector").Should().ContainSingle().Which.Should().Be(".article");
+        handler.Requests[0].Headers.GetValues("X-Remove-Selector").Should().Contain(".ads");
+        handler.Requests[0].Headers.GetValues("X-Wait-For-Selector").Should().ContainSingle().Which.Should().Be("#content");
+    }
+
+    [Fact]
+    public async Task ResearchAsync_UsesSelectedJinaReaderSource_ReturnsUnavailableNote_WhenJinaIsRateLimited()
+    {
+        var handler = new RecordingHttpMessageHandler(
+            _ => new HttpResponseMessage(HttpStatusCode.TooManyRequests)
+            {
+                Content = new StringContent(
+                    "The requested URL returned error: 429 Too Many Requests",
+                    Encoding.UTF8,
+                    "text/plain"
+                ),
+            }
+        );
+        await using var db = TestDbContextFactory.CreateSystemContext();
+        db.EnrichmentSourceConfigurations.Add(
+            EnrichmentSourceConfiguration.Create(
+                EnrichmentSourceCatalog.JinaReaderSourceKey,
+                "Jina Reader",
+                true,
+                apiBaseUrl: EnrichmentSourceCatalog.DefaultJinaReaderApiBaseUrl,
+                targets: "AIResearch"
+            )
+        );
+        await db.SaveChangesAsync();
+
+        var service = CreateService(db, handler);
+        var profile = TenantAiProfileFactory.Create(
+            Guid.NewGuid(),
+            providerType: TenantAiProviderType.Ollama,
+            allowExternalResearch: true,
+            webResearchMode: TenantAiWebResearchMode.PatchHoundManaged,
+            researchSourceKey: EnrichmentSourceCatalog.JinaReaderSourceKey
+        );
+
+        var result = await service.ResearchAsync(
+            new TenantAiProfileResolved(profile, string.Empty),
+            new AiWebResearchRequest(
+                "CVE-2026-0001",
+                [],
+                1,
+                true,
+                Providers: [AiResearchProviderKind.ExternalWebSearch],
+                ResearchSourceKey: EnrichmentSourceCatalog.JinaReaderSourceKey
+            ),
+            CancellationToken.None
+        );
+
+        result.IsSuccess.Should().BeTrue();
+        result.Value.Context.Should().Be("External research was not available during the time of assessment");
+        result.Value.Sources.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void JinaReaderOptions_FromJson_NormalizesMissingStringFields()
+    {
+        var options = JinaReaderOptions.FromJson("{}").Normalize();
+
+        options.ResponseFormat.Should().Be("markdown");
+        options.TargetSelector.Should().BeEmpty();
+        options.ExcludeSelector.Should().BeEmpty();
+        options.WaitForSelector.Should().BeEmpty();
+    }
+
     [Fact]
     public void AddHttpClient_CanResolveTenantAiResearchService_WithConfiguredOptions()
     {
@@ -116,6 +286,10 @@ public void AddHttpClient_CanResolveTenantAiResearchService_WithConfiguredOption
         services.AddSingleton(TestDbContextFactory.CreateSystemContext());
         services.AddScoped<LocalVulnerabilityIntelResearchProvider>();
         services.AddHttpClient<ExternalWebSearchResearchProvider>();
+        services.AddScoped<IAiResearchSourceProvider>(sp => sp.GetRequiredService<ExternalWebSearchResearchProvider>());
+        services.AddSingleton(Substitute.For<ISecretStore>());
+        services.AddHttpClient<JinaReaderAiResearchProvider>();
+        services.AddScoped<IAiResearchSourceProvider>(sp => sp.GetRequiredService<JinaReaderAiResearchProvider>());
         services.AddScoped<ITenantAiResearchService, TenantAiResearchService>();
 
         using var provider = services.BuildServiceProvider();
@@ -248,16 +422,25 @@ public async Task ResearchAsync_LocalIntelCacheMiss_ReturnsEmptyBundleWithoutExt
     private static TenantAiResearchService CreateService(
         PatchHoundDbContext db,
         RecordingHttpMessageHandler handler,
-        AiResearchOptions? options = null
+        AiResearchOptions? options = null,
+        ISecretStore? secretStore = null
     )
     {
+        var httpClient = new HttpClient(handler);
         var externalProvider = new ExternalWebSearchResearchProvider(
-            new HttpClient(handler),
+            httpClient,
+            Options.Create(options ?? new AiResearchOptions())
+        );
+        var jinaProvider = new JinaReaderAiResearchProvider(
+            httpClient,
+            db,
+            secretStore ?? Substitute.For<ISecretStore>(),
             Options.Create(options ?? new AiResearchOptions())
         );
         return new TenantAiResearchService(
             new LocalVulnerabilityIntelResearchProvider(db),
-            externalProvider
+            [externalProvider, jinaProvider],
+            db
         );
     }
 
diff --git a/tests/PatchHound.Tests/TestData/TenantAiProfileFactory.cs b/tests/PatchHound.Tests/TestData/TenantAiProfileFactory.cs
index 44d98db2..8c990f6e 100644
--- a/tests/PatchHound.Tests/TestData/TenantAiProfileFactory.cs
+++ b/tests/PatchHound.Tests/TestData/TenantAiProfileFactory.cs
@@ -26,7 +26,8 @@ public static TenantAiProfile Create(
         TenantAiWebResearchMode webResearchMode = TenantAiWebResearchMode.Disabled,
         bool includeCitations = true,
         int maxResearchSources = 5,
-        string allowedDomains = ""
+        string allowedDomains = "",
+        string researchSourceKey = ""
     ) =>
         TenantAiProfile.Create(
             tenantId,
@@ -49,6 +50,7 @@ public static TenantAiProfile Create(
             webResearchMode,
             includeCitations,
             maxResearchSources,
-            allowedDomains
+            allowedDomains,
+            researchSourceKey: researchSourceKey
         );
 }
diff --git a/tests/PatchHound.Tests/Worker/IngestionWorkerTests.cs b/tests/PatchHound.Tests/Worker/IngestionWorkerTests.cs
index ea7247f8..067df5aa 100644
--- a/tests/PatchHound.Tests/Worker/IngestionWorkerTests.cs
+++ b/tests/PatchHound.Tests/Worker/IngestionWorkerTests.cs
@@ -158,6 +158,26 @@ public void TryParseAssessment_ReportsTopLevelKeys_WhenUrgencyIsMissing()
         error.Should().Be("Missing Urgency object. Top-level keys: Recommendation, Confidence, Summary, UrgencyTier, UrgencyTargetSla, UrgencyReason");
     }
 
+    [Fact]
+    public void ApplyExternalResearchUnavailableNote_AppendsNoteToSummaryOnce()
+    {
+        var summary = InvokeApplyExternalResearchUnavailableNote(
+            "Patch quickly based on local vulnerability intelligence.",
+            "External research was not available during the time of assessment"
+        );
+
+        summary.Should().Be(
+            "Patch quickly based on local vulnerability intelligence.\nExternal research was not available during the time of assessment"
+        );
+
+        InvokeApplyExternalResearchUnavailableNote(
+                summary,
+                "External research was not available during the time of assessment"
+            )
+            .Should()
+            .Be(summary);
+    }
+
     private static (bool Success, string Error) InvokeTryParseAssessment(string raw)
     {
         var method = typeof(VulnerabilityAssessmentWorker).GetMethod(
@@ -171,4 +191,15 @@ private static (bool Success, string Error) InvokeTryParseAssessment(string raw)
 
         return (success, (string)args[2]!);
     }
+
+    private static string InvokeApplyExternalResearchUnavailableNote(string summary, string? externalContext)
+    {
+        var method = typeof(VulnerabilityAssessmentWorker).GetMethod(
+            "ApplyExternalResearchUnavailableNote",
+            BindingFlags.NonPublic | BindingFlags.Static
+        );
+        method.Should().NotBeNull();
+
+        return (string)method!.Invoke(null, [summary, externalContext])!;
+    }
 }