Align finding-enum JSON serialization to snake_case (Confidence/Verdict/ThreatCategory)

[Zious11]

Summary

Confidence, Verdict, and ThreatCategory in src/findings.rs currently serialize via serde as PascalCase ("Possible", "High", "Anomaly") while their Display impls render UPPERCASE. For SIEM/downstream JSON interop, align JSON output to lowercase/snake_case.

Proposed Change

Add #[serde(rename_all = "snake_case")] (or "lowercase" where appropriate) to Confidence, Verdict, and ThreatCategory, matching security-tooling conventions:

• Suricata EVE JSON uses lowercase event_type
• Elastic ECS log.level uses lowercase ("info", "error")
• OCSF uses numeric severity_id + lowercase string equivalents

Breaking Change Notice

This is a BREAKING CHANGE to JSON output. It must be governed and version-noted, and touches behavioral contracts BC-2.09.004, BC-2.11.001, and ADR-0003. Should not be bundled into a feature story — requires a standalone governed PR with changelog entry.

Current JSON is internally self-consistent PascalCase; this change improves ecosystem alignment at the cost of a schema break for existing consumers.

Severity

Low (enhancement, not a defect). Current JSON is internally consistent; this is an improvement for SIEM/downstream integration alignment.

Source

Research-validated per DF-VALIDATION-001. Validation report: .factory/research/arp-followups-validation.md item 4. From the ARP analyzer F6/F7 cycle (STORY-111..115).

[Zious11]

Triage validation (2026-06-22) — codebase + research-agent. STILL-VALID. Verdict/Confidence/ThreatCategory (src/findings.rs:30/64/95) derive Serialize with no #[serde(rename_all)], so JSON emits PascalCase ("Possible", "High", "Anomaly") via src/reporter/json.rs. Research: snake_case is the de-facto SIEM convention (Suricata EVE, Elastic ECS, OCSF) — but renaming already-published fields is a breaking change for existing JSON consumers. Recommend a versioned standalone PR with a consumer-migration note. Keep open.