docs consolidation work
This commit is contained in:
StellaOps Bot
@@ -1,6 +1,15 @@
|
||||
# StellaOps Concelier
|
||||
|
||||
Concelier ingests signed advisories from dozens of sources and converts them into immutable observations plus linksets under the Aggregation-Only Contract (AOC).
|
||||
Concelier ingests signed advisories from **32 advisory connectors** and converts them into immutable observations plus linksets under the Aggregation-Only Contract (AOC).
|
||||
|
||||
**Advisory Sources (32 connectors):**
|
||||
- **National CERTs (8):** ACSC (Australia), CCCS (Canada), CERT-Bund (Germany), CERT-CC (US), CERT-FR (France), CERT-IN (India), JVN (Japan), KISA (Korea)
|
||||
- **OS Distros (5):** Alpine SecDB, Debian Security Tracker, RedHat OVAL, SUSE OVAL, Ubuntu USN
|
||||
- **Vendors (7):** Apple, Adobe, Chromium, Cisco PSIRT, Microsoft MSRC, Oracle, VMware
|
||||
- **Standards (5):** CVE, NVD, GHSA (GitHub), OSV, EPSS v4
|
||||
- **Threat Intel (3):** KEV (CISA Exploited Vulns), CISA ICS, Kaspersky ICS
|
||||
- **Regional (3):** Russia BDU, Russia NKCKI, Plus regional mirrors
|
||||
- **Internal (1):** StellaOps internal mirror
|
||||
|
||||
## Responsibilities
|
||||
- Fetch and normalise vulnerability advisories via restart-time connectors.
|
||||
@@ -41,3 +50,28 @@ Concelier ingests signed advisories from dozens of sources and converts them int
|
||||
## Epic alignment
|
||||
- **Epic 1 – AOC enforcement:** uphold raw observation invariants, provenance requirements, linkset-only enrichment, and AOC verifier guardrails across every connector.
|
||||
- **Epic 10 – Export Center:** expose deterministic advisory exports and metadata required by JSON/Trivy/mirror bundles.
|
||||
|
||||
## Implementation Status
|
||||
|
||||
**Delivery Phases:**
|
||||
- Phase 1 (Guardrails & schema) – PostgreSQL validators, AOCWriteGuard interceptor, deterministic linkset builders operational
|
||||
- Phase 2 (API & observability) – Ingestion/verification endpoints with Authority scopes, telemetry, Offline Kit packaging
|
||||
- Phase 3 (Experience polish) – CLI/Console affordances, Export Center hand-off metadata, CI enforcement
|
||||
|
||||
**Acceptance Criteria:**
|
||||
- PostgreSQL validators and runtime guards reject forbidden fields and missing provenance with ERR_AOC_00x codes
|
||||
- Linksets and supersedes chains deterministic; identical payloads yield byte-identical documents
|
||||
- CLI `stella aoc verify` exits non-zero on violations, zero on clean datasets
|
||||
- Export Center consumes advisory datasets without legacy normalized fields
|
||||
- CI fails on lint violations or guard test regressions
|
||||
|
||||
**Key Risks & Mitigations:**
|
||||
- Collector drift: guard middleware + CI lint + schema validation; RFC required for linkset changes
|
||||
- Migration complexity: staged cutover with backup copies, temporary views for Policy Engine parity
|
||||
- Performance overhead: guard remains O(number of keys), index review for insert latency targets
|
||||
- Tenancy leakage: tenant required in schema, Authority claims enforced, observability alerts
|
||||
|
||||
**Recent Milestones:**
|
||||
- Sprint 110 attestation chain validated, evidence bundle tests green
|
||||
- Link-Not-Merge cache and console consumption docs frozen
|
||||
- Observation events transport reviewed, NATS/air-gap guidance updated
|
||||
|
||||
Reference in New Issue
Block a user