Add MongoDB storage library and update acceptance tests with deterministic stubs

- Created StellaOps.Notify.Storage.Mongo project with initial configuration.
- Added expected output files for acceptance tests (at1.txt to at10.txt).
- Added fixture input files for acceptance tests (at1 to at10).
- Created input and signature files for test cases fc1 to fc5.

docs/vuln/GRAP0101-integration-checklist.md

@@ -0,0 +1,29 @@
+# GRAP0101 Integration Checklist for Vuln Explorer Md.XI
+
+Use this checklist when the GRAP0101 domain model contract arrives.
+
+## Fill across docs
+- `docs/vuln/explorer-overview.md`: replace `[[pending:...]]` placeholders (entities, relationships, identifiers); confirm triage state names; add hashes for examples once captured.
+- `docs/vuln/explorer-using-console.md`: apply final field labels, keyboard shortcuts, saved view params; drop hashed assets per checklist.
+- `docs/vuln/explorer-api.md`: finalize filter/sort/ETag params, limits, error codes; attach hashed request/response fixtures.
+- `docs/vuln/explorer-cli.md`: align flag names with API; add hashed CLI outputs.
+- `docs/vuln/findings-ledger.md`: align schema names/ids; confirm hash fields and Merkle notes match GRAP0101.
+- `docs/policy/vuln-determinations.md`: sync identifiers and signal fields referenced in policy outputs.
+- `docs/vex/explorer-integration.md`: confirm CSAF→VEX mapping fields and precedence references.
+- `docs/advisories/explorer-integration.md`: update advisory identifiers/keys to GRAP0101 naming.
+- `docs/sbom/vuln-resolution.md`: align component identifier fields (purl/NEVRA) with GRAP0101.
+- `docs/observability/vuln-telemetry.md`: verify metric/log labels (findingId, advisoryId, policyVersion, artifactId) match contract.
+- `docs/security/vuln-rbac.md`: confirm scope/claim names and attachment token fields.
+- `docs/runbooks/vuln-ops.md`: ensure IDs/fields in remediation steps match contract.
+
+## Hash capture locations
+- Record all assets in `docs/assets/vuln-explorer/SHA256SUMS` using the per-subdir checklists.
+
+## Order of operations
+1. Update overview entities/ids first (DOCS-VULN-29-001).
+2. Propagate identifiers to console/API/CLI stubs (#2–#4).
+3. Align ledger/policy/VEX/advisory/SBOM docs (#5–#9).
+4. Finish telemetry/RBAC/runbook (#10–#12).
+5. Update install doc (#13) once images/manifests arrive.
+
+_Last updated: 2025-12-05 (UTC)_

docs/vuln/explorer-overview.md

@@ -36,6 +36,16 @@
 3) Expose via API/Console/CLI with cached reachability/VEX context and policy explain bundles (VEX-first, reachability second, policy gates third per architecture).
 4) Export reports/offline bundles; verify with ledger hashes and DSSE attestations.
 
+## Triage States (architecture; finalize with GRAP0101)
+- `new` → `triaged` → `in_progress` → `awaiting_verification` → `remediated`
+- `new` → `closed_false_positive`
+- `new` → `accepted_risk`
+- Each transition requires justification; accepted risk requires multi-approver workflow (Policy Studio) and ABAC enforcement.
+
+## Offline / Export Expectations
+- Offline bundle structure: `manifest.json`, `findings.jsonl`, `history.jsonl`, `actions.jsonl`, `reports/`, `signatures/` (DSSE envelopes); deterministic ordering and hashes.
+- Bundles are consumed by Export Center mirror profiles; include Merkle roots and hash manifests for verification.
+
 ## Offline/Determinism Notes
 - Hash captures for screenshots/payloads recorded in `docs/assets/vuln-explorer/SHA256SUMS` (empty until assets arrive).
 - Use fixed fixture sets and ordered outputs when adding examples.