feat: adding stewardship tables and small fixis (CM-1218)

[ulemons]

Summary

Provisions the six stewardship tables for the OSSPREY Self Serve program (v1) and cleans up the packages API type layer. In v1 only stewardships is populated — one unassigned row per critical package via the import job. The other five tables are schema-only, empty until v2 write flows land.

Changes

• Migration V1781094067__stewardship-tables.sql: creates stewardships, stewardship_stewards, stewardship_activity, stewardship_assessments, stewardship_findings, stewardship_remediation_actions with all indexes and FK constraints. Notable deviations from the original spec: updated_at added to stewardship_assessments (was missing vs all other mutable tables); optional assessment_id FK on stewardship_findings to link findings to the assessment that produced them when v2 lands
• types.ts (new): single source of truth for domain types — StewardshipStatus, Lifecycle, SeverityLevel, OpenVulns, Steward, StewardshipSummary — previously scattered as inline literals across handler files
• OpenAPI: added stewardship block to PackageDetail; renamed PackageListItem.steward → stewards; added openVulns to StewardshipSummary.required
• batchGetStewardship.ts: reads stewardship.status from mock detail instead of hardcoding 'unassigned'; removed redundant in guard on severity accumulator
• mockData.ts: all types now reference types.ts; stewardship block added to MockPackageDetail

Type of change

• Bug fix
• New feature
• Refactor / cleanup
• Performance improvement
• Chore / dependency update
• Documentation

JIRA ticket

ticket

---

Note

Medium Risk
New production migration defines core stewardship persistence; OpenAPI field renames (steward → stewards) may affect API clients even though handlers still use mocks.

Overview
Adds OSSPREY stewardship v1 database schema via migration V1781094067__stewardship-tables.sql: six tables (stewardships plus stewards, activity, assessments, findings, remediation actions) with indexes and FKs. v1 is expected to populate only stewardships (one unassigned row per critical package); the rest stay empty until v2 writes.

Introduces types.ts as the shared domain model (StewardshipStatus, Lifecycle, OpenVulns, Steward, StewardshipSummary, etc.) and wires mock data and batchGetStewardship to it: mock package details gain a stewardship block, list items use stewards instead of steward, and batch responses take stewardship status from mock detail rather than a hardcoded 'unassigned'.

OpenAPI documents stewardship on PackageDetail, renames list steward → stewards, and adds openVulns to StewardshipSummary required fields.

^{Reviewed by Cursor Bugbot for commit b7f1724. Bugbot is set up for automated code reviews on this repo. Configure here.}

[Copilot]

Pull request overview

This PR provisions the initial database schema for OSSPREY Self Serve “stewardship” (v1) and refactors the public Packages API typing + OpenAPI spec to introduce a stewardship surface area (currently backed by mocks).

Changes:

• Add a new packages-db migration creating six stewardship-related tables with indexes/FKs.
• Introduce a single types.ts source-of-truth for stewardship/domain types and update mocks/handlers to use it.
• Update the Packages OpenAPI schema to include stewardship fields and adjust the list/batch shapes.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
backend/src/osspckgs/migrations/V1781094067__stewardship-tables.sql	Adds stewardship tables + indexes for v1/v2 rollout.
backend/src/api/public/v1/packages/types.ts	Adds centralized TS domain types for packages stewardship API.
backend/src/api/public/v1/packages/openapi.yaml	Extends public OpenAPI contract with stewardship fields and tweaks required fields.
backend/src/api/public/v1/packages/mockData.ts	Updates mocks to use shared types and adds stewardship to detail mocks.
backend/src/api/public/v1/packages/batchGetStewardship.ts	Aligns batch endpoint output with new types and mock detail stewardship status.

Comments suppressed due to low confidence (1)

backend/src/api/public/v1/packages/openapi.yaml:201

• stewards is named as a plural but is modeled as a single Steward (or null), and the description also says “Single assigned steward”. This is inconsistent for API consumers and future evolution (especially since the DB schema is many-to-many). Either rename the field to singular (steward) everywhere, or change the shape to an array (stewards: Steward[]) and update the OpenAPI schema + handlers/mocks accordingly.

        stewards:
          description: Single assigned steward or null.
          oneOf:
            - $ref: '#/components/schemas/Steward'
            - type: 'null'

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.