feat: Implement MongoDB orchestrator storage with registry, commands, and heartbeats

- Added NullAdvisoryObservationEventTransport for handling advisory observation events.
- Created IOrchestratorRegistryStore interface for orchestrator registry operations.
- Implemented MongoOrchestratorRegistryStore for MongoDB interactions with orchestrator data.
- Defined OrchestratorCommandDocument and OrchestratorCommandRecord for command handling.
- Added OrchestratorHeartbeatDocument and OrchestratorHeartbeatRecord for heartbeat tracking.
- Created OrchestratorRegistryDocument and OrchestratorRegistryRecord for registry management.
- Developed tests for orchestrator collections migration and MongoOrchestratorRegistryStore functionality.
- Introduced AirgapImportRequest and AirgapImportValidator for air-gapped VEX bundle imports.
- Added incident mode rules sample JSON for notifier configuration.

docs/modules/concelier/architecture.md

@@ -604,6 +604,7 @@ concelier:
 
 1. **MVP**: Red Hat (CSAF), SUSE (CSAF), Ubuntu (USN JSON), OSV; JSON export.
 2. **Add**: GHSA GraphQL, Debian (DSA HTML/JSON), Alpine secdb; Trivy DB export.
-3. **Attestation hand‑off**: integrate with **Signer/Attestor** (optional).
-4. **Scale & diagnostics**: provider dashboards, staleness alerts, export cache reuse.
+3. **Attestation hand‑off**: integrate with **Signer/Attestor** (optional).
+   - Advisory evidence attestation parameters and path rules are documented in `docs/modules/concelier/attestation.md`.
+4. **Scale & diagnostics**: provider dashboards, staleness alerts, export cache reuse.
 5. **Offline kit**: end‑to‑end verified bundles for air‑gap.

docs/modules/concelier/attestation.md

@@ -0,0 +1,30 @@
+# Concelier Advisory Evidence Attestation
+
+## Purpose
+- Describe how Concelier returns attestation claims for advisory evidence bundles so downstream services (Advisory AI, Attestor, Console) can verify provenance.
+
+## Endpoint
+- `GET /vuln/evidence/advisories/{advisoryKey}`
+- Authentication/tenant headers follow standard Concelier rules (`X-Stella-Tenant` or `tenant` query; authority policies apply).
+- Response payload: `AdvisoryEvidenceResponse { advisoryKey, records[], attestation? }`
+
+## Attestation parameters (query)
+- `bundlePath` (required to enable attestation): Relative or absolute path to evidence bundle tar.gz. Relative paths are resolved under the configured evidence root (`concelier:evidence:root`). Paths outside this root are rejected.
+- `manifestPath` (optional): Defaults to sibling `manifest.json` next to the bundle.
+- `transparencyPath` (optional): Defaults to sibling `transparency.json` next to the bundle.
+- `pipelineVersion` (optional): Defaults to `concelier:evidence:pipelineVersion` (e.g., `git:<sha>`).
+
+## Behavior
+- When `bundlePath` is omitted, the endpoint returns evidence records only (attestation is `null`).
+- When provided, Concelier builds claims via `EvidenceBundleAttestationBuilder` using the manifest and optional transparency payload; tenant must be lowercase per scope note.
+- Path safety: All resolved files must live under the evidence root; traversal attempts or missing files silently skip attestation (response remains valid without claims).
+
+## Configuration
+- `concelier:evidence:root` (default `out/evidence/bundles`, resolved absolute).
+- `concelier:evidence:defaultManifestFileName` (default `manifest.json`).
+- `concelier:evidence:defaultTransparencyFileName` (default `transparency.json`).
+- `concelier:evidence:pipelineVersion` (default `git:unknown`).
+
+## References
+- Evidence Locker attestation scope: `docs/modules/evidence-locker/attestation-scope-note.md`.
+- Implementation: `src/Concelier/StellaOps.Concelier.WebService/Program.cs`, `StellaOps.Concelier.Core/Attestation/EvidenceBundleAttestationBuilder.cs`.

docs/modules/concelier/prep/2025-11-22-oas-obs-prep.md

@@ -0,0 +1,29 @@
+# Concelier OAS & Observability Prep (61-001..63-001, 51-001..55-001)
+
+Status: **Ready for implementation** (2025-11-22)
+Owners: Concelier Core Guild · API Contracts Guild · DevOps/Observability Guilds
+Scope: Freeze the API/SDK contracts and observability envelopes for LNM search/timeline APIs so downstream SDK, governance, and incident flows can proceed without schema churn.
+
+## Inputs
+- Frozen LNM payload schema: `docs/modules/concelier/link-not-merge-schema.md` (2025-11-17).
+- Event contract: `docs/modules/concelier/events/advisory.observation.updated@1.md`.
+- Registry/worker orchestration contract: `docs/modules/concelier/prep/2025-11-20-orchestrator-registry-prep.md`.
+
+## Deliverables
+- OpenAPI source stub for LNM + timeline surfaces recorded at `docs/modules/concelier/openapi/lnm-api.yaml` (paths enumerated; examples outlined below).
+- SDK example library checklist covering `searchAdvisories`, `searchLinksets`, `getTimeline`, `getObservationById`; response bodies aligned to frozen schema; no consensus/merge fields.
+- Observability contract (metrics/logs/traces):
+  - Metrics: `concelier_ingest_latency_seconds`, `concelier_linkset_conflicts_total`, `concelier_timeline_emit_lag_seconds`, `concelier_api_requests_total{route,tenant,status}` with burn-rate alert examples.
+  - Logs: structured fields `tenantId`, `advisoryKey`, `linksetId`, `timelineCursor`, `egressPolicy`.
+  - Traces: span names for `lnm.search`, `lnm.timeline`, `lnm.linkset-resolve` with baggage keys `tenant-id`, `request-id`.
+- Incident/observability hooks: timeline/attestation enrichment notes for OBS-54/55 including DSSE envelope hash field and sealed-mode redaction rules.
+
+## Acceptance Criteria
+- Request/response shapes for `/api/v1/lnm/advisories`, `/api/v1/lnm/linksets`, `/api/v1/lnm/timeline` documented with required query params (`tenantId`, `productKey`, `offset`, `limit`, `sort`, `includeTimeline=true|false`).
+- All responses MUST include `provenance` block (source, fetchedAt, digest, evidenceBundleId) and forbid consensus/merge fields.
+- Metrics/logs names and labels are deterministic and lowercase; alert examples reference burn-rate SLOs.
+- File path above is referenced from sprint trackers; any future schema edits require bumping version/comment in this prep doc.
+
+## Notes
+- This prep satisfies PREP-CONCELIER-OAS-61-001/002/62-001/63-001 and PREP-CONCELIER-OBS-51-001/52-001/53-001/54-001/55-001.
+- No external dependencies remaining; downstream tasks may proceed using the stubbed OpenAPI and observability contracts here.