feat(excititor): continuation — orchestrator test coverage + doc reconciliation

Follow-up to commit 7efa424fe (EXCITITOR-CFG-01/02/03). Captures the
continuation edits that landed alongside/after the initial commit:

- VexIngestOrchestrator.cs: additional effective-settings resolver
  hardening (+63 lines).
- DefaultVexProviderRunner.cs: worker-path settings merge refinement.
- VexIngestOrchestratorTests.cs (new): focused test coverage for the
  effective-settings + blocked-readiness path.
- DefaultVexProviderRunnerTests.cs: corresponding worker-path coverage.
- TASKS.md entries updated in both test projects.

Docs reconciliation:
- provider-credentials.md (new): operator credential-entry dossier
  mirroring the Concelier source-credentials.md pattern.
- provider-control-plane.md: cross-link updates.
- ops/connector-setup-guide.md: authoritative-inventory pointers updated
  to reference the new credential dossiers; microsoft-entra API-permission
  steps generalized to "your MSRC onboarding flow" (MSRC Security Updates
  API availability varies by tenant).
- SPRINT_20260422_007 execution log appended.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/ops/connector-setup-guide.md

@@ -41,7 +41,20 @@ Tracked in:
 
 ## Credential requirements
 
-Only the following connectors need operator-minted credentials — and **all three are currently in the aspirational catalog only**. You cannot configure them against a running backend until the connector code is wired. Steps are retained here so they're ready when that sprint lands.
+Authoritative current-state inventories live here:
+
+- `docs/modules/concelier/connectors.md`
+- `docs/modules/concelier/operations/source-credentials.md`
+- `docs/modules/excititor/operations/provider-control-plane.md`
+- `docs/modules/excititor/operations/provider-credentials.md`
+
+Current UI/CLI-configurable credentialed paths:
+
+- Concelier advisory sources: `ghsa`, `cisco`, `microsoft`
+- Concelier endpoint-override paths: `oracle`, `adobe`, `chromium`
+- Excititor VEX providers: `excititor:cisco`, `excititor:suse-rancher`, `excititor:msrc`
+
+The sections below keep the acquisition steps for the most common credentialed providers.
 
 ### GitHub Security Advisories (GHSA)
 
@@ -64,16 +77,16 @@ Steps:
 
 Cisco ref: <https://developer.cisco.com/docs/psirt/authentication/>.
 
-### Microsoft MSRC (Concelier advisory + Excititor VEX — not yet wired for either)
+### Microsoft MSRC (Concelier advisory + Excititor VEX)
 
-**What Stella Ops needs**: a Microsoft Entra confidential client app with `SecurityUpdates.Read.All` API permission.
+**What Stella Ops needs**: a Microsoft Entra confidential client app with the consent and scope required by your MSRC onboarding flow.
 
 Steps:
 1. <https://entra.microsoft.com/> → **App registrations** → **New registration**.
 2. Name: `stella-ops-concelier-msrc`. Single-tenant. Redirect URI blank.
 3. From Overview: copy **Directory (tenant) ID** + **Application (client) ID**.
 4. **Certificates & secrets** → **New client secret** → 24-month expiry → copy the `Value` column **immediately**.
-5. **API permissions** → **Add a permission** → Security Updates API (App ID `83b40db2-0d04-4b56-9e77-0e7d76a47d4b`) → Application permissions → `SecurityUpdates.Read.All` → Grant admin consent.
+5. Grant the application permissions and consent required by your MSRC onboarding process before storing the values in Stella Ops.
 
 Microsoft refs: <https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app>, <https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-credentials>.