Add channel test providers for Email, Slack, Teams, and Webhook

- Implemented EmailChannelTestProvider to generate email preview payloads.
- Implemented SlackChannelTestProvider to create Slack message previews.
- Implemented TeamsChannelTestProvider for generating Teams Adaptive Card previews.
- Implemented WebhookChannelTestProvider to create webhook payloads.
- Added INotifyChannelTestProvider interface for channel-specific preview generation.
- Created ChannelTestPreviewContracts for request and response models.
- Developed NotifyChannelTestService to handle test send requests and generate previews.
- Added rate limit policies for test sends and delivery history.
- Implemented unit tests for service registration and binding.
- Updated project files to include necessary dependencies and configurations.

docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md

@@ -13,7 +13,7 @@ Authority plug-ins extend the **StellaOps Authority** service with custom identi
 Authority hosts follow a deterministic plug-in lifecycle. The exported diagram (`docs/assets/authority/authority-plugin-lifecycle.svg`) mirrors the steps below; regenerate it from the Mermaid source if you update the flow.
 
 1. **Configuration load** – `AuthorityPluginConfigurationLoader` resolves YAML manifests under `etc/authority.plugins/`.
-2. **Assembly discovery** – the shared `PluginHost` scans `PluginBinaries/Authority` for `StellaOps.Authority.Plugin.*.dll` assemblies.
+2. **Assembly discovery** – the shared `PluginHost` scans `StellaOps.Authority.PluginBinaries` for `StellaOps.Authority.Plugin.*.dll` assemblies.
 3. **Registrar execution** – each assembly is searched for `IAuthorityPluginRegistrar` implementations. Registrars bind options, register services, and optionally queue bootstrap tasks.
 4. **Runtime** – the host resolves `IIdentityProviderPlugin` instances, uses capability metadata to decide which OAuth grants to expose, and invokes health checks for readiness endpoints.
 
@@ -177,7 +177,7 @@ _Source:_ `docs/assets/authority/authority-rate-limit-flow.mmd`
 ## 10. Testing & Tooling
 - Unit tests: use Mongo2Go (or similar) to exercise credential stores without hitting production infrastructure (`StandardUserCredentialStoreTests` is a template).
 - Determinism: fix timestamps to UTC and sort outputs consistently; avoid random GUIDs unless stable.
-- Smoke tests: launch `dotnet run --project src/StellaOps.Authority/StellaOps.Authority` with your plug-in under `PluginBinaries/Authority` and verify `/ready`.
+- Smoke tests: launch `dotnet run --project src/StellaOps.Authority/StellaOps.Authority` with your plug-in under `StellaOps.Authority.PluginBinaries` and verify `/ready`.
 - Example verification snippet:
   ```csharp
   [Fact]
@@ -195,7 +195,7 @@ _Source:_ `docs/assets/authority/authority-rate-limit-flow.mmd`
 
 ## 11. Packaging & Delivery
 - Output assembly should follow `StellaOps.Authority.Plugin.<Name>.dll` so the host’s search pattern picks it up.
-- Place the compiled DLL plus dependencies under `PluginBinaries/Authority` for offline deployments; include hashes/signatures in release notes (Security Guild guidance forthcoming).
+- Place the compiled DLL plus dependencies under `StellaOps.Authority.PluginBinaries` for offline deployments; include hashes/signatures in release notes (Security Guild guidance forthcoming).
 - Document any external prerequisites (e.g., CA cert bundle) in your plug-in README.
 - Update `etc/authority.plugins/<plugin>.yaml` samples and include deterministic SHA256 hashes for optional bootstrap payloads when distributing Offline Kit artefacts.
 

docs/dev/EXCITITOR_STATEMENT_BACKFILL.md

@@ -0,0 +1,86 @@
+# Excititor Statement Backfill Runbook
+
+Last updated: 2025-10-19
+
+## Overview
+
+Use this runbook when you need to rebuild the `vex.statements` collection from historical raw documents. Typical scenarios:
+
+- Upgrading the statement schema (e.g., adding severity/KEV/EPSS signals).
+- Recovering from a partial ingest outage where statements were never persisted.
+- Seeding a freshly provisioned Excititor deployment from an existing raw archive.
+
+Backfill operates server-side via the Excititor WebService and reuses the same pipeline that powers the `/excititor/statements` ingestion endpoint. Each raw document is normalized, signed metadata is preserved, and duplicate statements are skipped unless the run is forced.
+
+## Prerequisites
+
+1. **Connectivity to Excititor WebService** – the CLI uses the backend URL configured in `stellaops.yml` or the `--backend-url` argument.
+2. **Authority credentials** – the CLI honours the existing Authority client configuration; ensure the caller has permission to invoke admin endpoints.
+3. **Mongo replica set** (recommended) – causal consistency guarantees rely on majority read/write concerns. Standalone deployment works but skips cross-document transactions.
+
+## CLI command
+
+```
+stellaops excititor backfill-statements \
+  [--retrieved-since <ISO8601>] \
+  [--force] \
+  [--batch-size <int>] \
+  [--max-documents <int>]
+```
+
+| Option | Description |
+| ------ | ----------- |
+| `--retrieved-since` | Only process raw documents fetched on or after the specified timestamp (UTC by default). |
+| `--force` | Reprocess documents even if matching statements already exist (useful after schema upgrades). |
+| `--batch-size` | Number of raw documents pulled per batch (default `100`). |
+| `--max-documents` | Optional hard limit on the number of raw documents to evaluate. |
+
+Example – replay the last 48 hours of Red Hat ingest while keeping existing statements:
+
+```
+stellaops excititor backfill-statements \
+  --retrieved-since "$(date -u -d '48 hours ago' +%Y-%m-%dT%H:%M:%SZ)"
+```
+
+Example – full replay with forced overwrites, capped at 2,000 documents:
+
+```
+stellaops excititor backfill-statements --force --max-documents 2000
+```
+
+The command returns a summary similar to:
+
+```
+Backfill completed: evaluated 450, backfilled 180, claims written 320, skipped 270, failures 0.
+```
+
+## Behaviour
+
+- Raw documents are streamed in ascending `retrievedAt` order.
+- Each document is normalized using the registered VEX normalizers (CSAF, CycloneDX, OpenVEX).
+- Statements are appended through the same `IVexClaimStore.AppendAsync` path that powers `/excititor/statements`.
+- Duplicate detection compares `Document.Digest`; duplicates are skipped unless `--force` is specified.
+- Failures are logged with the offending digest and continue with the next document.
+
+## Observability
+
+- CLI logs aggregate counts and the backend logs per-digest warnings or errors.
+- Mongo writes carry majority write concern; expect backfill throughput to match ingest baselines (≈5 seconds warm, 30 seconds cold).
+- Monitor the `excititor.storage.backfill` log scope for detailed telemetry.
+
+## Post-run verification
+
+1. Inspect the `vex.statements` collection for the targeted window (check `InsertedAt`).
+2. Re-run the Excititor storage test suite if possible:
+   ```
+   dotnet test src/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj
+   ```
+3. Optionally, call `/excititor/statements/{vulnerabilityId}/{productKey}` to confirm the expected statements exist.
+
+## Rollback
+
+If a forced run produced incorrect statements, use the standard Mongo rollback procedure:
+
+1. Identify the `InsertedAt` window for the backfill run.
+2. Delete affected records from `vex.statements` (and any downstream exports if applicable).
+3. Rerun the backfill command with corrected parameters.

docs/dev/authority-dpop-mtls-plan.md

@@ -11,6 +11,8 @@
 - Operator-facing configuration, auditing, and observability.
 - Out of scope: PoE enforcement (Signer) and CLI/UI client UX; those teams consume the new capabilities.
 
+> **Status update (2025-10-19):** `ValidateDpopProofHandler`, `AuthorityClientCertificateValidator`, and the supporting storage/audit plumbing now live in `src/StellaOps.Authority`. DPoP proofs populate `cnf.jkt`, mTLS bindings enforce certificate thumbprints via `cnf.x5t#S256`, and token documents persist the sender constraint metadata. In-memory nonce issuance is wired (Redis implementation to follow). Documentation and configuration references were updated (`docs/11_AUTHORITY.md`). Targeted unit/integration tests were added; running the broader test suite is currently blocked by pre-existing `StellaOps.Concelier.Storage.Mongo` build errors.
+
 ## Design Summary
 - Extract the existing Scanner `DpopProofValidator` stack into a shared `StellaOps.Auth.Security` library used by Authority and resource servers.
 - Extend Authority configuration (`authority.yaml`) with strongly-typed `senderConstraints.dpop` and `senderConstraints.mtls` sections (map to sample already shown in architecture doc).

docs/dev/authority-plugin-di-coordination.md

@@ -0,0 +1,52 @@
+# Authority Plug-in Scoped Service Coordination
+
+> Created: 2025-10-19 — Plugin Platform Guild & Authority Core  
+> Status: Scheduled (session confirmed for 2025-10-20 15:00–16:00 UTC)
+
+This document tracks preparation, agenda, and outcomes for the scoped-service workshop required before implementing PLUGIN-DI-08-002.
+
+## Objectives
+
+- Inventory Authority plug-in surfaces that need scoped service lifetimes.
+- Confirm session/scope handling for identity-provider registrars and background jobs.
+- Assign follow-up tasks/actions with owners and due dates.
+
+## Scheduling Snapshot
+
+- **Meeting time:** 2025-10-20 15:00–16:00 UTC (10:00–11:00 CDT / 08:00–09:00 PDT).
+- **Facilitator:** Plugin Platform Guild — Alicia Rivera.
+- **Attendees (confirmed):** Authority Core — Jasmin Patel; Authority Security Guild — Mohan Singh; Plugin Platform — Alicia Rivera, Leah Chen.
+- **Optional invitees:** DevOps liaison — Sofia Ortega (accepted).
+- **Logistics:** Invites sent via shared calendar on 2025-10-19 15:30 UTC with Teams bridge + offline dial-in. Meeting notes will be captured here.
+- **Preparation deadline:** 2025-10-20 12:00 UTC — complete checklist below.
+
+## Pre-work Checklist
+
+- Review `ServiceBindingAttribute` contract introduced by PLUGIN-DI-08-001.
+- Collect existing Authority plug-in registration code paths to evaluate.
+- Audit background jobs that assume singleton lifetimes.
+- Identify plug-in health checks/telemetry surfaces impacted by scoped lifetimes.
+
+### Pre-work References
+
+- _Add links, file paths, or notes here prior to the session._
+
+## Draft Agenda
+
+1. Context recap (5 min) — why scoped DI is needed; summary of PLUGIN-DI-08-001 changes.
+2. Authority plug-in surfaces (15 min) — registrars, background services, telemetry.
+3. Session handling strategy (10 min) — scope creation semantics, cancellation propagation.
+4. Action items & owners (10 min) — capture code/docs/test tasks with due dates.
+5. Risks & follow-ups (5 min) — dependencies, rollout sequencing.
+
+## Notes
+
+- _Pending coordination session; populate afterwards._
+
+## Action Item Log
+
+| Item | Owner | Due | Status | Notes |
+|------|-------|-----|--------|-------|
+| Confirm meeting time | Alicia Rivera | 2025-10-19 15:30 UTC | DONE | Calendar invite sent; all required attendees accepted |
+| Compile Authority plug-in DI entry points | Jasmin Patel | 2025-10-20 | IN PROGRESS | Gather current Authority plug-in registrars, background jobs, and helper factories that assume singleton lifetimes; add the list with file paths to **Pre-work References** in this document before 2025-10-20 12:00 UTC. |
+| Outline scoped-session pattern for background jobs | Leah Chen | Post-session | BLOCKED | Requires meeting outcomes |

docs/dev/normalized_versions_rollout.md

@@ -19,19 +19,19 @@ This dashboard tracks connector readiness for emitting `AffectedPackage.Normaliz
 | Connector | Owner team | Normalized versions status | Last update | Next action / link |
 |-----------|------------|---------------------------|-------------|--------------------|
 | Acsc | BE-Conn-ACSC | ❌ Not started – mapper pending | 2025-10-11 | Design DTOs + mapper with normalized rule array; see `src/StellaOps.Concelier.Connector.Acsc/TASKS.md`. |
-| Cccs | BE-Conn-CCCS | ❌ Not started – mapper pending | 2025-10-11 | Add normalized SemVer array in canonical mapper; coordinate fixtures per `TASKS.md`. |
-| CertBund | BE-Conn-CERTBUND | ✅ Canonical mapper emitting vendor ranges | 2025-10-14 | Normalized vendor range payloads landed alongside telemetry/docs updates; see `src/StellaOps.Concelier.Connector.CertBund/TASKS.md`. |
+| Cccs | BE-Conn-CCCS | ⚠️ Scheduled – helper ready, implementation due 2025-10-21 | 2025-10-19 | Apply Merge-provided trailing-version helper to emit `NormalizedVersions`; update mapper/tests per `src/StellaOps.Concelier.Connector.Cccs/TASKS.md`. |
+| CertBund | BE-Conn-CERTBUND | ⚠️ Follow-up – translate `versions` strings to normalized rules | 2025-10-19 | Build `bis`/`alle` translator + fixtures before 2025-10-22 per `src/StellaOps.Concelier.Connector.CertBund/TASKS.md`. |
 | CertCc | BE-Conn-CERTCC | ⚠️ In progress – fetch pipeline DOING | 2025-10-11 | Implement VINCE mapper with SemVer/NEVRA rules; unblock snapshot regeneration; `src/StellaOps.Concelier.Connector.CertCc/TASKS.md`. |
 | Kev | BE-Conn-KEV | ✅ Normalized catalog/due-date rules verified | 2025-10-12 | Fixtures reconfirmed via `dotnet test src/StellaOps.Concelier.Connector.Kev.Tests`; `src/StellaOps.Concelier.Connector.Kev/TASKS.md`. |
 | Cve | BE-Conn-CVE | ✅ Normalized SemVer rules verified | 2025-10-12 | Snapshot parity green (`dotnet test src/StellaOps.Concelier.Connector.Cve.Tests`); `src/StellaOps.Concelier.Connector.Cve/TASKS.md`. |
 | Ghsa | BE-Conn-GHSA | ⚠️ DOING – normalized rollout task active | 2025-10-11 18:45 UTC | Wire `SemVerRangeRuleBuilder` + refresh fixtures; `src/StellaOps.Concelier.Connector.Ghsa/TASKS.md`. |
 | Osv | BE-Conn-OSV | ✅ SemVer mapper & parity fixtures verified | 2025-10-12 | GHSA parity regression passing (`dotnet test src/StellaOps.Concelier.Connector.Osv.Tests`); `src/StellaOps.Concelier.Connector.Osv/TASKS.md`. |
-| Ics.Cisa | BE-Conn-ICS-CISA | ❌ Not started – mapper TODO | 2025-10-11 | Plan SemVer/firmware scheme selection; `src/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md`. |
-| Kisa | BE-Conn-KISA | ✅ Landed 2025-10-14 (mapper + telemetry) | 2025-10-11 | Hangul-aware mapper emits normalized rules; see `docs/dev/kisa_connector_notes.md` for localisation/metric details. |
+| Ics.Cisa | BE-Conn-ICS-CISA | ⚠️ Decision pending – normalize SemVer exacts or escalate scheme | 2025-10-19 | Promote `SemVerPrimitive` outputs into `NormalizedVersions` or file Models ticket by 2025-10-23 (`src/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md`). |
+| Kisa | BE-Conn-KISA | ⚠️ Proposal required – firmware scheme due 2025-10-24 | 2025-10-19 | Draft `kisa.build` (or equivalent) scheme with Models, then emit normalized rules; track in `src/StellaOps.Concelier.Connector.Kisa/TASKS.md`. |
 | Ru.Bdu | BE-Conn-BDU | ✅ Raw scheme emitted | 2025-10-14 | Mapper now writes `ru-bdu.raw` normalized rules with provenance + telemetry; `src/StellaOps.Concelier.Connector.Ru.Bdu/TASKS.md`. |
 | Ru.Nkcki | BE-Conn-Nkcki | ❌ Not started – mapper TODO | 2025-10-11 | Similar to BDU; ensure Cyrillic provenance preserved; `src/StellaOps.Concelier.Connector.Ru.Nkcki/TASKS.md`. |
 | Vndr.Apple | BE-Conn-Apple | ✅ Shipped – emitting normalized arrays | 2025-10-11 | Continue fixture/tooling work; `src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md`. |
-| Vndr.Cisco | BE-Conn-Cisco | ✅ SemVer + vendor extensions emitted | 2025-10-14 | Connector outputs SemVer primitives with `cisco.productId` notes; see `CiscoMapper` and fixtures for coverage. |
+| Vndr.Cisco | BE-Conn-Cisco | ⚠️ Scheduled – normalized rule emission due 2025-10-21 | 2025-10-19 | Use Merge helper to persist `NormalizedVersions` alongside SemVer primitives; see `src/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md`. |
 | Vndr.Msrc | BE-Conn-MSRC | ✅ Map + normalized build rules landed | 2025-10-15 | `MsrcMapper` emits `msrc.build` normalized rules with CVRF references; see `src/StellaOps.Concelier.Connector.Vndr.Msrc/TASKS.md`. |
 | Nvd | BE-Conn-NVD | ⚠️ Needs follow-up – mapper complete but normalized array MR pending | 2025-10-11 | Align CVE notes + normalized payload flag; `src/StellaOps.Concelier.Connector.Nvd/TASKS.md`. |