feat: Implement MongoDB orchestrator storage with registry, commands, and heartbeats

- Added NullAdvisoryObservationEventTransport for handling advisory observation events.
- Created IOrchestratorRegistryStore interface for orchestrator registry operations.
- Implemented MongoOrchestratorRegistryStore for MongoDB interactions with orchestrator data.
- Defined OrchestratorCommandDocument and OrchestratorCommandRecord for command handling.
- Added OrchestratorHeartbeatDocument and OrchestratorHeartbeatRecord for heartbeat tracking.
- Created OrchestratorRegistryDocument and OrchestratorRegistryRecord for registry management.
- Developed tests for orchestrator collections migration and MongoOrchestratorRegistryStore functionality.
- Introduced AirgapImportRequest and AirgapImportValidator for air-gapped VEX bundle imports.
- Added incident mode rules sample JSON for notifier configuration.

docs/notifications/templates.md

@@ -201,3 +201,39 @@ Rekor entry: {{link "Transparency log" payload.links.rekor}}
 ---
 
 > **Imposed rule reminder:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.
+
+---
+
+## 8. Incident mode templates (NOTIFY-OBS-55-001)
+
+Incident toggles are high-noise events that must pierce quiet hours and include audit-ready context. Use dedicated templates so downstream tooling can distinguish activation vs. recovery and surface the required evidence.
+
+**Required context keys**
+- `payload.incidentId`, `payload.reason`, `payload.startedAt` / `payload.stoppedAt`.
+- `payload.links.trace` (root cause trace/span), `payload.links.evidence` (timeline/export bundle), `payload.links.timeline`.
+- `payload.retentionDays` (active) and `payload.retentionBaselineDays` (post-incident).
+- `payload.quietHoursOverride` (boolean) to justify bypassing quiet hours.
+- `payload.legal.jurisdiction`, `payload.legal.ticket`, `payload.legal.logPath` for compliance logging.
+
+**Template keys**
+- `tmpl-incident-start` — activation notice.
+- `tmpl-incident-stop` — recovery/cleanup notice.
+
+**Slack sample (start)**
+```hbs
+:rotating_light: Incident mode activated for {{payload.incidentId}}
+Reason: {{payload.reason}}
+Trace: {{link "root span" payload.links.trace}} · Evidence: {{link "bundle" payload.links.evidence}}
+Retention extended to {{payload.retentionDays}} days (baseline {{payload.retentionBaselineDays}})
+Quiet hours overridden: {{payload.quietHoursOverride}}
+Legal: {{payload.legal.jurisdiction}} (ticket {{payload.legal.ticket}})
+```
+
+**Email sample (stop)**
+```hbs
+<h2>Incident mode cleared: {{payload.incidentId}}</h2>
+<p>Stopped at {{payload.stoppedAt}} — retention reset to {{payload.retentionBaselineDays}} days.</p>
+<p>Timeline: {{link "view timeline" payload.links.timeline}} · Audit log: {{payload.legal.logPath}}</p>
+```
+
+See `src/Notifier/StellaOps.Notifier/docs/incident-mode-rules.sample.json` for ready-to-import rules referencing these templates with quiet-hour overrides and legal logging metadata.