Add channel test providers for Email, Slack, Teams, and Webhook

- Implemented EmailChannelTestProvider to generate email preview payloads.
- Implemented SlackChannelTestProvider to create Slack message previews.
- Implemented TeamsChannelTestProvider for generating Teams Adaptive Card previews.
- Implemented WebhookChannelTestProvider to create webhook payloads.
- Added INotifyChannelTestProvider interface for channel-specific preview generation.
- Created ChannelTestPreviewContracts for request and response models.
- Developed NotifyChannelTestService to handle test send requests and generate previews.
- Added rate limit policies for test sends and delivery history.
- Implemented unit tests for service registration and binding.
- Updated project files to include necessary dependencies and configurations.

src/StellaOps.Auth.Security/Dpop/DpopNonceConsumeResult.cs

@@ -0,0 +1,50 @@
+using System;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+/// <summary>
+/// Represents the outcome of attempting to consume a DPoP nonce.
+/// </summary>
+public sealed class DpopNonceConsumeResult
+{
+    private DpopNonceConsumeResult(DpopNonceConsumeStatus status, DateTimeOffset? issuedAt, DateTimeOffset? expiresAt)
+    {
+        Status = status;
+        IssuedAt = issuedAt;
+        ExpiresAt = expiresAt;
+    }
+
+    /// <summary>
+    /// Consumption status.
+    /// </summary>
+    public DpopNonceConsumeStatus Status { get; }
+
+    /// <summary>
+    /// Timestamp the nonce was originally issued (when available).
+    /// </summary>
+    public DateTimeOffset? IssuedAt { get; }
+
+    /// <summary>
+    /// Expiry timestamp for the nonce (when available).
+    /// </summary>
+    public DateTimeOffset? ExpiresAt { get; }
+
+    public static DpopNonceConsumeResult Success(DateTimeOffset issuedAt, DateTimeOffset expiresAt)
+        => new(DpopNonceConsumeStatus.Success, issuedAt, expiresAt);
+
+    public static DpopNonceConsumeResult Expired(DateTimeOffset? issuedAt, DateTimeOffset expiresAt)
+        => new(DpopNonceConsumeStatus.Expired, issuedAt, expiresAt);
+
+    public static DpopNonceConsumeResult NotFound()
+        => new(DpopNonceConsumeStatus.NotFound, null, null);
+}
+
+/// <summary>
+/// Known statuses for nonce consumption attempts.
+/// </summary>
+public enum DpopNonceConsumeStatus
+{
+    Success,
+    Expired,
+    NotFound
+}

src/StellaOps.Auth.Security/Dpop/DpopNonceIssueResult.cs

@@ -0,0 +1,56 @@
+using System;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+/// <summary>
+/// Represents the result of issuing a DPoP nonce.
+/// </summary>
+public sealed class DpopNonceIssueResult
+{
+    private DpopNonceIssueResult(DpopNonceIssueStatus status, string? nonce, DateTimeOffset? expiresAt, string? error)
+    {
+        Status = status;
+        Nonce = nonce;
+        ExpiresAt = expiresAt;
+        Error = error;
+    }
+
+    /// <summary>
+    /// Issue status.
+    /// </summary>
+    public DpopNonceIssueStatus Status { get; }
+
+    /// <summary>
+    /// Issued nonce when <see cref="Status"/> is <see cref="DpopNonceIssueStatus.Success"/>.
+    /// </summary>
+    public string? Nonce { get; }
+
+    /// <summary>
+    /// Expiry timestamp for the issued nonce (UTC).
+    /// </summary>
+    public DateTimeOffset? ExpiresAt { get; }
+
+    /// <summary>
+    /// Additional failure information, where applicable.
+    /// </summary>
+    public string? Error { get; }
+
+    public static DpopNonceIssueResult Success(string nonce, DateTimeOffset expiresAt)
+        => new(DpopNonceIssueStatus.Success, nonce, expiresAt, null);
+
+    public static DpopNonceIssueResult RateLimited(string? error = null)
+        => new(DpopNonceIssueStatus.RateLimited, null, null, error);
+
+    public static DpopNonceIssueResult Failure(string? error = null)
+        => new(DpopNonceIssueStatus.Failure, null, null, error);
+}
+
+/// <summary>
+/// Known statuses for nonce issuance.
+/// </summary>
+public enum DpopNonceIssueStatus
+{
+    Success,
+    RateLimited,
+    Failure
+}

src/StellaOps.Auth.Security/Dpop/DpopNonceUtilities.cs

@@ -0,0 +1,66 @@
+using System;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+internal static class DpopNonceUtilities
+{
+    private static readonly char[] Base64Padding = { '=' };
+
+    internal static string GenerateNonce()
+    {
+        Span<byte> buffer = stackalloc byte[32];
+        RandomNumberGenerator.Fill(buffer);
+
+        return Convert.ToBase64String(buffer)
+            .TrimEnd(Base64Padding)
+            .Replace('+', '-')
+            .Replace('/', '_');
+    }
+
+    internal static byte[] ComputeNonceHash(string nonce)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(nonce);
+        var bytes = Encoding.UTF8.GetBytes(nonce);
+        return SHA256.HashData(bytes);
+    }
+
+    internal static string EncodeHash(ReadOnlySpan<byte> hash)
+        => Convert.ToHexString(hash);
+
+    internal static string ComputeStorageKey(string audience, string clientId, string keyThumbprint)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(audience);
+        ArgumentException.ThrowIfNullOrWhiteSpace(clientId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(keyThumbprint);
+
+        return string.Create(
+            "dpop-nonce:".Length + audience.Length + clientId.Length + keyThumbprint.Length + 2,
+            (audience.Trim(), clientId.Trim(), keyThumbprint.Trim()),
+            static (span, parts) =>
+            {
+                var index = 0;
+                const string Prefix = "dpop-nonce:";
+                Prefix.CopyTo(span);
+                index += Prefix.Length;
+
+                index = Append(span, index, parts.Item1);
+                span[index++] = ':';
+                index = Append(span, index, parts.Item2);
+                span[index++] = ':';
+                _ = Append(span, index, parts.Item3);
+            });
+
+        static int Append(Span<char> span, int index, string value)
+        {
+            if (value.Length == 0)
+            {
+                throw new ArgumentException("Value must not be empty after trimming.");
+            }
+
+            value.AsSpan().CopyTo(span[index..]);
+            return index + value.Length;
+        }
+    }
+}

src/StellaOps.Auth.Security/Dpop/IDpopNonceStore.cs

@@ -0,0 +1,45 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+/// <summary>
+/// Provides persistence and validation for DPoP nonces.
+/// </summary>
+public interface IDpopNonceStore
+{
+    /// <summary>
+    /// Issues a nonce tied to the specified audience, client, and DPoP key thumbprint.
+    /// </summary>
+    /// <param name="audience">Audience the nonce applies to.</param>
+    /// <param name="clientId">Client identifier requesting the nonce.</param>
+    /// <param name="keyThumbprint">Thumbprint of the DPoP public key.</param>
+    /// <param name="ttl">Time-to-live for the nonce.</param>
+    /// <param name="maxIssuancePerMinute">Maximum number of nonces that can be issued within a one-minute window for the tuple.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Outcome describing the issued nonce.</returns>
+    ValueTask<DpopNonceIssueResult> IssueAsync(
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        TimeSpan ttl,
+        int maxIssuancePerMinute,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Attempts to consume a nonce previously issued for the tuple.
+    /// </summary>
+    /// <param name="nonce">Nonce supplied by the client.</param>
+    /// <param name="audience">Audience the nonce should match.</param>
+    /// <param name="clientId">Client identifier.</param>
+    /// <param name="keyThumbprint">Thumbprint of the DPoP public key.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Outcome describing whether the nonce was accepted.</returns>
+    ValueTask<DpopNonceConsumeResult> TryConsumeAsync(
+        string nonce,
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        CancellationToken cancellationToken = default);
+}

src/StellaOps.Auth.Security/Dpop/InMemoryDpopNonceStore.cs

@@ -0,0 +1,176 @@
+using System;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Security.Cryptography;
+using System.Text;
+using System.Threading;
+using Microsoft.Extensions.Logging;
+using System.Threading.Tasks;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+/// <summary>
+/// In-memory implementation of <see cref="IDpopNonceStore"/> suitable for single-host or test environments.
+/// </summary>
+public sealed class InMemoryDpopNonceStore : IDpopNonceStore
+{
+    private static readonly TimeSpan IssuanceWindow = TimeSpan.FromMinutes(1);
+    private readonly ConcurrentDictionary<string, StoredNonce> nonces = new(StringComparer.Ordinal);
+    private readonly ConcurrentDictionary<string, IssuanceBucket> issuanceBuckets = new(StringComparer.Ordinal);
+    private readonly TimeProvider timeProvider;
+    private readonly ILogger<InMemoryDpopNonceStore>? logger;
+
+    public InMemoryDpopNonceStore(TimeProvider? timeProvider = null, ILogger<InMemoryDpopNonceStore>? logger = null)
+    {
+        this.timeProvider = timeProvider ?? TimeProvider.System;
+        this.logger = logger;
+    }
+
+    public ValueTask<DpopNonceIssueResult> IssueAsync(
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        TimeSpan ttl,
+        int maxIssuancePerMinute,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(audience);
+        ArgumentException.ThrowIfNullOrWhiteSpace(clientId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(keyThumbprint);
+
+        if (ttl <= TimeSpan.Zero)
+        {
+            throw new ArgumentOutOfRangeException(nameof(ttl), "Nonce TTL must be greater than zero.");
+        }
+
+        if (maxIssuancePerMinute < 1)
+        {
+            throw new ArgumentOutOfRangeException(nameof(maxIssuancePerMinute), "Max issuance per minute must be at least 1.");
+        }
+
+        cancellationToken.ThrowIfCancellationRequested();
+
+        var now = timeProvider.GetUtcNow();
+        var bucketKey = BuildBucketKey(audience, clientId, keyThumbprint);
+        var bucket = issuanceBuckets.GetOrAdd(bucketKey, static _ => new IssuanceBucket());
+
+        bool allowed;
+        lock (bucket.SyncRoot)
+        {
+            bucket.Prune(now - IssuanceWindow);
+
+            if (bucket.IssuanceTimes.Count >= maxIssuancePerMinute)
+            {
+                allowed = false;
+            }
+            else
+            {
+                bucket.IssuanceTimes.Enqueue(now);
+                allowed = true;
+            }
+        }
+
+        if (!allowed)
+        {
+            logger?.LogDebug("DPoP nonce issuance throttled for {BucketKey}.", bucketKey);
+            return ValueTask.FromResult(DpopNonceIssueResult.RateLimited("rate_limited"));
+        }
+
+        var nonce = GenerateNonce();
+        var nonceKey = BuildNonceKey(audience, clientId, keyThumbprint, nonce);
+        var expiresAt = now + ttl;
+        nonces[nonceKey] = new StoredNonce(now, expiresAt);
+        return ValueTask.FromResult(DpopNonceIssueResult.Success(nonce, expiresAt));
+    }
+
+    public ValueTask<DpopNonceConsumeResult> TryConsumeAsync(
+        string nonce,
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(nonce);
+        ArgumentException.ThrowIfNullOrWhiteSpace(audience);
+        ArgumentException.ThrowIfNullOrWhiteSpace(clientId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(keyThumbprint);
+
+        cancellationToken.ThrowIfCancellationRequested();
+
+        var now = timeProvider.GetUtcNow();
+        var nonceKey = BuildNonceKey(audience, clientId, keyThumbprint, nonce);
+
+        if (!nonces.TryRemove(nonceKey, out var stored))
+        {
+            logger?.LogDebug("DPoP nonce {NonceKey} not found during consumption.", nonceKey);
+            return ValueTask.FromResult(DpopNonceConsumeResult.NotFound());
+        }
+
+        if (stored.ExpiresAt <= now)
+        {
+            logger?.LogDebug("DPoP nonce {NonceKey} expired at {ExpiresAt:o}.", nonceKey, stored.ExpiresAt);
+            return ValueTask.FromResult(DpopNonceConsumeResult.Expired(stored.IssuedAt, stored.ExpiresAt));
+        }
+
+        return ValueTask.FromResult(DpopNonceConsumeResult.Success(stored.IssuedAt, stored.ExpiresAt));
+    }
+
+    private static string BuildBucketKey(string audience, string clientId, string keyThumbprint)
+        => $"{audience.Trim().ToLowerInvariant()}::{clientId.Trim().ToLowerInvariant()}::{keyThumbprint.Trim().ToLowerInvariant()}";
+
+    private static string BuildNonceKey(string audience, string clientId, string keyThumbprint, string nonce)
+    {
+        var bucketKey = BuildBucketKey(audience, clientId, keyThumbprint);
+        var digest = ComputeSha256(nonce);
+        return $"{bucketKey}::{digest}";
+    }
+
+    private static string ComputeSha256(string value)
+    {
+        var bytes = Encoding.UTF8.GetBytes(value);
+        var hash = SHA256.HashData(bytes);
+        return Base64UrlEncode(hash);
+    }
+
+    private static string Base64UrlEncode(ReadOnlySpan<byte> bytes)
+    {
+        return Convert.ToBase64String(bytes)
+            .TrimEnd('=')
+            .Replace('+', '-')
+            .Replace('/', '_');
+    }
+
+    private static string GenerateNonce()
+    {
+        Span<byte> buffer = stackalloc byte[32];
+        RandomNumberGenerator.Fill(buffer);
+        return Base64UrlEncode(buffer);
+    }
+
+    private sealed class StoredNonce
+    {
+        internal StoredNonce(DateTimeOffset issuedAt, DateTimeOffset expiresAt)
+        {
+            IssuedAt = issuedAt;
+            ExpiresAt = expiresAt;
+        }
+
+        internal DateTimeOffset IssuedAt { get; }
+
+        internal DateTimeOffset ExpiresAt { get; }
+    }
+
+    private sealed class IssuanceBucket
+    {
+        internal object SyncRoot { get; } = new();
+        internal Queue<DateTimeOffset> IssuanceTimes { get; } = new();
+
+        internal void Prune(DateTimeOffset threshold)
+        {
+            while (IssuanceTimes.Count > 0 && IssuanceTimes.Peek() < threshold)
+            {
+                IssuanceTimes.Dequeue();
+            }
+        }
+    }
+}

src/StellaOps.Auth.Security/Dpop/RedisDpopNonceStore.cs

@@ -0,0 +1,138 @@
+using System;
+using System.Globalization;
+using System.Threading;
+using System.Threading.Tasks;
+using StackExchange.Redis;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+/// <summary>
+/// Redis-backed implementation of <see cref="IDpopNonceStore"/> that supports multi-node deployments.
+/// </summary>
+public sealed class RedisDpopNonceStore : IDpopNonceStore
+{
+    private const string ConsumeScript = @"
+local value = redis.call('GET', KEYS[1])
+if value ~= false and value == ARGV[1] then
+  redis.call('DEL', KEYS[1])
+  return 1
+end
+return 0";
+
+    private readonly IConnectionMultiplexer connection;
+    private readonly TimeProvider timeProvider;
+
+    public RedisDpopNonceStore(IConnectionMultiplexer connection, TimeProvider? timeProvider = null)
+    {
+        this.connection = connection ?? throw new ArgumentNullException(nameof(connection));
+        this.timeProvider = timeProvider ?? TimeProvider.System;
+    }
+
+    public async ValueTask<DpopNonceIssueResult> IssueAsync(
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        TimeSpan ttl,
+        int maxIssuancePerMinute,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(audience);
+        ArgumentException.ThrowIfNullOrWhiteSpace(clientId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(keyThumbprint);
+
+        if (ttl <= TimeSpan.Zero)
+        {
+            throw new ArgumentOutOfRangeException(nameof(ttl), "Nonce TTL must be greater than zero.");
+        }
+
+        if (maxIssuancePerMinute < 1)
+        {
+            throw new ArgumentOutOfRangeException(nameof(maxIssuancePerMinute), "Max issuance per minute must be at least 1.");
+        }
+
+        cancellationToken.ThrowIfCancellationRequested();
+
+        var database = connection.GetDatabase();
+        var issuedAt = timeProvider.GetUtcNow();
+
+        var baseKey = DpopNonceUtilities.ComputeStorageKey(audience, clientId, keyThumbprint);
+        var nonceKey = (RedisKey)baseKey;
+        var metadataKey = (RedisKey)(baseKey + ":meta");
+        var rateKey = (RedisKey)(baseKey + ":rate");
+
+        var rateCount = await database.StringIncrementAsync(rateKey, flags: CommandFlags.DemandMaster).ConfigureAwait(false);
+        if (rateCount == 1)
+        {
+            await database.KeyExpireAsync(rateKey, TimeSpan.FromMinutes(1), CommandFlags.DemandMaster).ConfigureAwait(false);
+        }
+
+        if (rateCount > maxIssuancePerMinute)
+        {
+            return DpopNonceIssueResult.RateLimited("rate_limited");
+        }
+
+        var nonce = DpopNonceUtilities.GenerateNonce();
+        var hash = (RedisValue)DpopNonceUtilities.EncodeHash(DpopNonceUtilities.ComputeNonceHash(nonce));
+        var expiresAt = issuedAt + ttl;
+
+        await database.StringSetAsync(nonceKey, hash, ttl, When.Always, CommandFlags.DemandMaster).ConfigureAwait(false);
+        var metadataValue = FormattableString.Invariant($"{issuedAt.UtcTicks}|{ttl.Ticks}");
+        await database.StringSetAsync(metadataKey, metadataValue, ttl, When.Always, CommandFlags.DemandMaster).ConfigureAwait(false);
+
+        return DpopNonceIssueResult.Success(nonce, expiresAt);
+    }
+
+    public async ValueTask<DpopNonceConsumeResult> TryConsumeAsync(
+        string nonce,
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(nonce);
+        ArgumentException.ThrowIfNullOrWhiteSpace(audience);
+        ArgumentException.ThrowIfNullOrWhiteSpace(clientId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(keyThumbprint);
+
+        cancellationToken.ThrowIfCancellationRequested();
+
+        var database = connection.GetDatabase();
+
+        var baseKey = DpopNonceUtilities.ComputeStorageKey(audience, clientId, keyThumbprint);
+        var nonceKey = (RedisKey)baseKey;
+        var metadataKey = (RedisKey)(baseKey + ":meta");
+        var hash = (RedisValue)DpopNonceUtilities.EncodeHash(DpopNonceUtilities.ComputeNonceHash(nonce));
+
+        var rawResult = await database.ScriptEvaluateAsync(
+            ConsumeScript,
+            new[] { nonceKey },
+            new RedisValue[] { hash }).ConfigureAwait(false);
+
+        if (rawResult.IsNull || (long)rawResult != 1)
+        {
+            return DpopNonceConsumeResult.NotFound();
+        }
+
+        var metadata = await database.StringGetAsync(metadataKey).ConfigureAwait(false);
+        await database.KeyDeleteAsync(metadataKey, CommandFlags.DemandMaster).ConfigureAwait(false);
+
+        if (!metadata.IsNull)
+        {
+            var parts = metadata.ToString()
+                .Split('|', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+
+            if (parts.Length == 2 &&
+                long.TryParse(parts[0], NumberStyles.Integer, CultureInfo.InvariantCulture, out var issuedTicks) &&
+                long.TryParse(parts[1], NumberStyles.Integer, CultureInfo.InvariantCulture, out var ttlTicks))
+            {
+                var issuedAt = new DateTimeOffset(issuedTicks, TimeSpan.Zero);
+                var expiresAt = issuedAt + TimeSpan.FromTicks(ttlTicks);
+                return expiresAt <= timeProvider.GetUtcNow()
+                    ? DpopNonceConsumeResult.Expired(issuedAt, expiresAt)
+                    : DpopNonceConsumeResult.Success(issuedAt, expiresAt);
+            }
+        }
+
+        return DpopNonceConsumeResult.Success(timeProvider.GetUtcNow(), timeProvider.GetUtcNow());
+    }
+}

src/StellaOps.Auth.Security/StellaOps.Auth.Security.csproj

@@ -29,6 +29,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.2.0" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.2.0" />
+    <PackageReference Include="StackExchange.Redis" Version="2.8.24" />
     <PackageReference Include="Microsoft.SourceLink.GitLab" Version="8.0.0" PrivateAssets="All" />
   </ItemGroup>
   <ItemGroup>