Advisory Data Sources
-
Choose how vulnerability and VEX advisory data is delivered to your instance.
+
Choose how vulnerability and VEX advisory data is delivered to your instance. You can skip this step and turn advisories on later from Integrations → Advisory & VEX Sources.
@@ -1451,8 +1451,8 @@ export function mergeSetupStepLocalDefaults(
- Custom Feed Sources
- Configure individual advisory feeds directly (NVD, GHSA, OSV, Red Hat, Ubuntu, Debian, etc.). Use this for air-gapped or restricted environments.
+ Manual Feed Sources
+ Configure individual advisory and VEX feeds directly (NVD, GHSA, OSV, CSAF, VEX, Red Hat, Ubuntu, Debian, etc.). Use this for air-gapped or restricted environments.
@@ -1460,7 +1460,7 @@ export function mergeSetupStepLocalDefaults(
@if (sourceFeedMode() === 'mirror') {
Mirror Configuration
-
Connect to a reachable advisory mirror endpoint. For local/offline setup, prefer Custom Feed Sources unless a mirror URL is explicitly available.
+
StellaOps Mirror is the default recommended path. Leave the default URL in place unless your environment uses a different reachable mirror endpoint.
Mirror URL
Optional. Provides higher rate limits and access to priority feeds.
+ @if (hasRetainedSecret('sources.mirror.apiKey') && !getConfigValue('sources.mirror.apiKey')) {
+ Mirror API key retained securely on the server. Leave the field untouched to keep it, or type a new key to replace it.
+ } @else {
+ Optional. Provides higher rate limits and access to priority feeds.
+ }
}
@@ -1488,8 +1492,8 @@ export function mergeSetupStepLocalDefaults(
@if (sourceFeedMode() === 'custom') {
-
Individual Feed Sources
-
Enable and configure individual advisory data feeds.
+
Manual Advisory & VEX Sources
+
Enable and configure individual advisory and VEX data feeds.
@for (source of sourcesProviders; track source.id) {
@@ -1914,6 +1918,8 @@ export class StepContentComponent {
'https://mirrors.stella-ops.org/feeds/',
]);
+ private static readonly DEFAULT_STELLA_MIRROR_URL = 'https://mirror.stella-ops.org';
+
/** Emit defaults for the current step if no values are set yet. */
private readonly defaultsEffect = effect(() => {
const step = this.tryGetStep();
@@ -1948,6 +1954,34 @@ export class StepContentComponent {
if (sourceMode && !this.sourceFeedMode()) {
this.sourceFeedMode.set(sourceMode);
}
+ if (!sourceMode && !this.sourceFeedMode()) {
+ this.sourceFeedMode.set('mirror');
+ }
+
+ const selectedSources = new Set
();
+ const enabledList = config['sources.enabled'];
+ if (enabledList) {
+ for (const sourceId of enabledList.split(',').map(value => value.trim()).filter(Boolean)) {
+ selectedSources.add(sourceId);
+ }
+ }
+ for (const [key, value] of Object.entries(config)) {
+ if (!key.startsWith('sources.') || !key.endsWith('.enabled')) {
+ continue;
+ }
+
+ const sourceId = key.slice('sources.'.length, -'.enabled'.length);
+ if (!sourceId || sourceId === 'mirror') {
+ continue;
+ }
+
+ if (value === 'true') {
+ selectedSources.add(sourceId);
+ } else if (value === 'false') {
+ selectedSources.delete(sourceId);
+ }
+ }
+ this.enabledSources.set(selectedSources);
const mirrorUrlRaw = config['sources.mirror.url'];
const mirrorUrl = typeof mirrorUrlRaw === 'string'
@@ -1958,10 +1992,9 @@ export class StepContentComponent {
StepContentComponent.LEGACY_MIRROR_ENDPOINT_DEFAULTS.has(mirrorUrl)
) {
this.legacyMirrorDefaultsSanitized = true;
- this.configChange.emit({ key: 'sources.mirror.url', value: '' });
- this.configChange.emit({ key: 'sources.mirror.apiKey', value: '' });
- this.sourceFeedMode.set('custom');
- this.configChange.emit({ key: 'sources.mode', value: 'custom' });
+ this.configChange.emit({ key: 'sources.mirror.url', value: StepContentComponent.DEFAULT_STELLA_MIRROR_URL });
+ this.sourceFeedMode.set('mirror');
+ this.configChange.emit({ key: 'sources.mode', value: 'mirror' });
}
});
@@ -1977,7 +2010,7 @@ export class StepContentComponent {
readonly sourceFeedMode = signal<'mirror' | 'custom' | null>(null);
// Enabled sources (track by source ID)
- readonly enabledSources = signal>(new Set(['nvd', 'ghsa']));
+ readonly enabledSources = signal>(new Set());
// Migrations state
readonly pendingMigrations = signal([]);
diff --git a/src/Web/StellaOps.Web/src/app/features/setup-wizard/components/step-content.defaults.spec.ts b/src/Web/StellaOps.Web/src/app/features/setup-wizard/components/step-content.defaults.spec.ts
index 0d37b0041..a3a84343d 100644
--- a/src/Web/StellaOps.Web/src/app/features/setup-wizard/components/step-content.defaults.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/features/setup-wizard/components/step-content.defaults.spec.ts
@@ -9,8 +9,8 @@ describe('StepContentComponent local defaults', () => {
'authority.provider': 'standard',
'users.superuser.username': 'admin',
'users.superuser.email': 'admin@stella-ops.local',
- 'users.superuser.password': 'Admin@Stella1',
}));
+ expect(SETUP_STEP_LOCAL_DEFAULTS.admin['users.superuser.password']).toBeUndefined();
});
it('keeps the legacy authority and users defaults for compatibility', () => {
@@ -30,8 +30,11 @@ describe('StepContentComponent local defaults', () => {
'authority.provider': 'standard',
'users.superuser.username': 'custom-admin',
'users.superuser.email': 'admin@stella-ops.local',
- 'users.superuser.password': 'Admin@Stella1',
}));
+ expect(mergeSetupStepLocalDefaults('admin', {
+ 'users.superuser.username': 'custom-admin',
+ 'users.superuser.email': '',
+ })['users.superuser.password']).toBeUndefined();
});
it('does not inject sensitive defaults when the backend retained a secret for the step', () => {
@@ -46,4 +49,34 @@ describe('StepContentComponent local defaults', () => {
'users.superuser.username': 'admin',
}, ['users.superuser.password'])['users.superuser.password']).toBeUndefined();
});
+
+ it('defaults advisory and vex setup to StellaOps Mirror', () => {
+ expect(SETUP_STEP_LOCAL_DEFAULTS.sources).toEqual(expect.objectContaining({
+ 'sources.mode': 'mirror',
+ 'sources.mirror.url': 'https://mirror.stella-ops.org',
+ }));
+ expect(SETUP_STEP_LOCAL_DEFAULTS.sources['sources.mirror.apiKey']).toBeUndefined();
+ });
+
+ it('merges advisory source defaults without overwriting explicit operator input', () => {
+ expect(mergeSetupStepLocalDefaults('sources', {
+ 'sources.mode': 'manual',
+ 'sources.mirror.url': 'https://custom.example',
+ })).toEqual(expect.objectContaining({
+ 'sources.mode': 'manual',
+ 'sources.mirror.url': 'https://custom.example',
+ }));
+ });
+
+ it('does not inject mirror api key defaults when the backend retained a source secret', () => {
+ expect(mergeSetupStepLocalDefaults('sources', {
+ 'sources.mode': 'mirror',
+ }, ['sources.mirror.apiKey'])).toEqual(expect.objectContaining({
+ 'sources.mode': 'mirror',
+ 'sources.mirror.url': 'https://mirror.stella-ops.org',
+ }));
+ expect(mergeSetupStepLocalDefaults('sources', {
+ 'sources.mode': 'mirror',
+ }, ['sources.mirror.apiKey'])['sources.mirror.apiKey']).toBeUndefined();
+ });
});
diff --git a/src/Web/StellaOps.Web/src/app/features/setup-wizard/models/setup-wizard.models.ts b/src/Web/StellaOps.Web/src/app/features/setup-wizard/models/setup-wizard.models.ts
index 76011769f..5b44c1e72 100644
--- a/src/Web/StellaOps.Web/src/app/features/setup-wizard/models/setup-wizard.models.ts
+++ b/src/Web/StellaOps.Web/src/app/features/setup-wizard/models/setup-wizard.models.ts
@@ -320,11 +320,9 @@ export type SourcesProvider =
| 'ubuntu'
| 'debian'
| 'alpine'
- | 'wolfi'
- | 'vex-csaf'
- | 'vex-openvex'
- | 'vex-cyclonedx'
- | 'mirror-custom';
+ | 'csaf'
+ | 'csaf-tc'
+ | 'vex';
/** Authority provider configurations */
export const AUTHORITY_PROVIDERS: ProviderInfo[] = [
@@ -969,65 +967,33 @@ export const SOURCES_PROVIDERS: ProviderInfo[] = [
],
},
{
- id: 'wolfi',
- name: 'Wolfi Security Advisories',
- description: 'Wolfi/Chainguard security advisories',
- icon: 'shield',
- fields: [
- { id: 'enabled', label: 'Enable Wolfi Feed', type: 'boolean', required: false, defaultValue: true },
- ],
- },
- // VEX (Vulnerability Exploitability eXchange) Sources
- {
- id: 'vex-csaf',
- name: 'VEX CSAF Feeds',
- description: 'CSAF-format VEX statements from vendors (RedHat, Cisco, etc.)',
+ id: 'csaf',
+ name: 'CSAF Aggregator',
+ description: 'Structured CSAF/VEX provider catalogs and vendor advisories.',
icon: 'shield-check',
fields: [
- { id: 'enabled', label: 'Enable CSAF VEX', type: 'boolean', required: false, defaultValue: true },
- { id: 'providers', label: 'CSAF Providers', type: 'textarea', required: false, placeholder: 'https://www.redhat.com/.well-known/csaf/provider-metadata.json\nhttps://sec.cloudapps.cisco.com/.well-known/csaf/provider-metadata.json', helpText: 'One provider metadata URL per line' },
- { id: 'trustAnchors', label: 'Trust Anchors (PGP Keys)', type: 'textarea', required: false, helpText: 'PGP key fingerprints for signature verification (one per line)' },
+ { id: 'enabled', label: 'Enable CSAF Aggregator', type: 'boolean', required: false, defaultValue: true },
+ { id: 'providers', label: 'Provider Catalog URLs', type: 'textarea', required: false, placeholder: 'https://www.redhat.com/.well-known/csaf/provider-metadata.json', helpText: 'Optional override. One provider metadata URL per line.' },
],
},
{
- id: 'vex-openvex',
- name: 'OpenVEX Feeds',
- description: 'OpenVEX-format vulnerability statements',
+ id: 'csaf-tc',
+ name: 'Trusted CSAF Catalog',
+ description: 'Trusted catalog of CSAF providers for vendor VEX retrieval.',
icon: 'shield-check',
fields: [
- { id: 'enabled', label: 'Enable OpenVEX', type: 'boolean', required: false, defaultValue: true },
- { id: 'feedUrls', label: 'OpenVEX Feed URLs', type: 'textarea', required: false, placeholder: 'https://example.com/vex/feed.json', helpText: 'One feed URL per line' },
+ { id: 'enabled', label: 'Enable Trusted CSAF Catalog', type: 'boolean', required: false, defaultValue: true },
+ { id: 'catalogUrl', label: 'Catalog URL', type: 'text', required: false, placeholder: 'https://csaf.io/', helpText: 'Optional override for the trusted CSAF catalog endpoint.' },
],
},
{
- id: 'vex-cyclonedx',
- name: 'CycloneDX VEX',
- description: 'CycloneDX BOM with embedded VEX statements',
+ id: 'vex',
+ name: 'Generic VEX Feed',
+ description: 'Generic VEX/OpenVEX document feed for vendor exploitability statements.',
icon: 'shield-check',
fields: [
- { id: 'enabled', label: 'Enable CycloneDX VEX', type: 'boolean', required: false, defaultValue: true },
- { id: 'watchDirectory', label: 'Watch Directory', type: 'text', required: false, placeholder: '/var/lib/stella/vex/cyclonedx', helpText: 'Directory to watch for VEX BOM files' },
- ],
- },
- // Custom Mirror Sources
- {
- id: 'mirror-custom',
- name: 'Custom Advisory Mirror',
- description: 'Custom or private advisory feed mirror for air-gapped or enterprise environments',
- icon: 'server',
- fields: [
- { id: 'enabled', label: 'Enable Custom Mirror', type: 'boolean', required: false, defaultValue: false },
- { id: 'mirrorUrl', label: 'Mirror Base URL', type: 'text', required: true, placeholder: 'https://mirror.internal/advisories', helpText: 'Base URL for the advisory mirror' },
- { id: 'authType', label: 'Authentication', type: 'select', required: false, defaultValue: 'none', options: [
- { value: 'none', label: 'None (Public)' },
- { value: 'basic', label: 'Basic Auth' },
- { value: 'bearer', label: 'Bearer Token' },
- { value: 'mtls', label: 'Mutual TLS' },
- ]},
- { id: 'username', label: 'Username', type: 'text', required: false },
- { id: 'password', label: 'Password/Token', type: 'password', required: false },
- { id: 'caCert', label: 'CA Certificate (PEM)', type: 'textarea', required: false, helpText: 'Custom CA certificate for self-signed mirrors' },
- { id: 'syncInterval', label: 'Sync Interval (hours)', type: 'number', required: false, defaultValue: 6, validation: { min: 1, max: 168 } },
+ { id: 'enabled', label: 'Enable Generic VEX Feed', type: 'boolean', required: false, defaultValue: true },
+ { id: 'feedUrl', label: 'VEX Feed URL', type: 'text', required: false, placeholder: 'https://example.com/vex/feed.json', helpText: 'Optional override for a vendor or internal VEX document feed.' },
],
},
];
@@ -1173,7 +1139,7 @@ export const DEFAULT_SETUP_STEPS: SetupStep[] = [
{
id: 'sources',
name: 'Advisory Data Sources',
- description: 'Choose Stella Ops Mirror for pre-aggregated feeds or configure custom advisory sources for CVE/VEX vulnerability data.',
+ description: 'Enable StellaOps Mirror by default, or switch to manual advisory and VEX source configuration.',
category: 'Release Control Plane',
order: 60,
isRequired: false,
@@ -1181,9 +1147,9 @@ export const DEFAULT_SETUP_STEPS: SetupStep[] = [
dependencies: [],
validationChecks: ['check.sources.feeds.configured', 'check.sources.feeds.connectivity'],
status: 'pending',
- configureLaterUiPath: 'Settings → Security Data',
+ configureLaterUiPath: 'Integrations → Advisory & VEX Sources',
configureLaterCliCommand: 'stella config set sources.*',
- skipWarning: 'CVE/VEX advisory feeds will require manual updates.',
+ skipWarning: 'Advisories and VEX stay turned off until you enable a source later from Integrations → Advisory & VEX Sources.',
},
// Phase 5: Notifications (Optional)
{
@@ -1286,11 +1252,12 @@ export const TRUTHFUL_SETUP_STEP_IDS: readonly SetupStepId[] = [
'migrations',
'admin',
'crypto',
+ 'sources',
];
export function createTruthfulSetupSteps(): SetupStep[] {
const projected = DEFAULT_SETUP_STEPS
- .filter(step => step.id === 'database' || step.id === 'cache' || step.id === 'migrations' || step.id === 'crypto')
+ .filter(step => step.id === 'database' || step.id === 'cache' || step.id === 'migrations' || step.id === 'crypto' || step.id === 'sources')
.map(step => ({ ...step }));
const welcomeStep: SetupStep = {
id: 'welcome',
@@ -1347,6 +1314,22 @@ export function createTruthfulSetupSteps(): SetupStep[] {
};
}
+ if (step.id === 'sources') {
+ return {
+ ...step,
+ order: 60,
+ category: 'Release Control Plane',
+ description: 'Enable StellaOps Mirror by default, switch to manual advisory/VEX feeds if needed, or skip and turn advisories on later.',
+ isRequired: false,
+ isSkippable: true,
+ dependencies: ['admin'],
+ validationChecks: ['check.sources.feeds.configured', 'check.sources.feeds.connectivity'],
+ configureLaterUiPath: 'Integrations → Advisory & VEX Sources',
+ configureLaterCliCommand: 'stella config set sources.*',
+ skipWarning: 'Advisories and VEX remain off until you enable a source later from Integrations → Advisory & VEX Sources.',
+ };
+ }
+
return {
...step,
description: 'Verify the configured crypto profile or accept the built-in default profile for the local installation.',
diff --git a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.spec.ts b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.spec.ts
index 196e707f8..2ea0838e6 100644
--- a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.spec.ts
@@ -277,6 +277,7 @@ describe('SetupWizardApiService', () => {
expect(parsed).toEqual({
code: 'VALIDATION',
message: 'Validation Failed',
+ status: 503,
detail: 'Platform unavailable',
retryable: true,
suggestedFixes: [
diff --git a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.ts b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.ts
index 62fe91142..5708d7ad6 100644
--- a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.ts
+++ b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.ts
@@ -25,6 +25,7 @@ export interface ProblemDetails {
export interface SetupApiError {
code: string;
message: string;
+ status?: number;
detail?: string;
retryable: boolean;
suggestedFixes?: string[];
@@ -259,6 +260,7 @@ export class SetupWizardApiService {
return {
code: 'NETWORK_ERROR',
message: 'Unable to connect to the server',
+ status: 0,
detail: error.error.message,
retryable: true,
};
@@ -269,6 +271,7 @@ export class SetupWizardApiService {
return {
code: this.extractErrorCode(problem),
message: problem.title,
+ status: error.status,
detail: problem.detail,
retryable: this.isRetryable(error.status),
suggestedFixes: this.getSuggestedFixes(problem),
@@ -278,6 +281,7 @@ export class SetupWizardApiService {
return {
code: `HTTP_${error.status}`,
message: this.getStatusMessage(error.status),
+ status: error.status,
detail: error.message,
retryable: this.isRetryable(error.status),
};
diff --git a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.spec.ts b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.spec.ts
index 60ea02084..df45682bc 100644
--- a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.spec.ts
@@ -96,7 +96,7 @@ describe('SetupWizardStateService', () => {
expect(service.configValues()['users.superuser.password']).toBe('Admin@Stella1');
});
- it('falls back to the first pending step when the backend session has no current step', () => {
+ it('falls back to the first pending real step when the backend session has no current step', () => {
const session: SetupSession = {
sessionId: 'session-2',
scopeKey: 'installation',
@@ -116,7 +116,31 @@ describe('SetupWizardStateService', () => {
service.initializeSession(session);
- expect(service.currentStepId()).toBe('welcome');
+ expect(service.currentStepId()).toBe('cache');
+ });
+
+ it('falls back to the last completed real step when the backend session has no current step and no pending steps', () => {
+ const session: SetupSession = {
+ sessionId: 'session-2b',
+ scopeKey: 'installation',
+ status: 'in_progress',
+ startedAt: '2026-04-14T00:00:00Z',
+ definitionVersion: 'v1',
+ configValues: {},
+ steps: [
+ { stepId: 'database', status: 'completed' },
+ { stepId: 'cache', status: 'completed' },
+ { stepId: 'migrations', status: 'completed' },
+ { stepId: 'admin', status: 'completed' },
+ { stepId: 'crypto', status: 'completed' },
+ ],
+ completedSteps: ['database', 'cache', 'migrations', 'admin', 'crypto'],
+ skippedSteps: [],
+ };
+
+ service.initializeSession(session);
+
+ expect(service.currentStepId()).toBe('crypto');
});
it('navigates backward without returning to welcome', () => {
diff --git a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.ts b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.ts
index 5c0ab503c..7c4880fe8 100644
--- a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.ts
+++ b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.ts
@@ -268,9 +268,15 @@ export class SetupWizardStateService {
if (session.currentStep) {
this.currentStepId.set(session.currentStep);
} else {
- const firstPending = this.orderedSteps().find(s => s.status === 'pending');
+ const orderedRealSteps = this.orderedSteps().filter(step => step.id !== 'welcome');
+ const firstPending = orderedRealSteps.find(s => s.status === 'pending');
if (firstPending) {
this.currentStepId.set(firstPending.id);
+ } else {
+ const lastCompleted = [...orderedRealSteps]
+ .reverse()
+ .find(step => step.status === 'completed' || step.status === 'skipped' || step.status === 'failed');
+ this.currentStepId.set(lastCompleted?.id ?? null);
}
}
}
diff --git a/src/Web/StellaOps.Web/src/tests/security-risk/advisory-source-catalog.behavior.spec.ts b/src/Web/StellaOps.Web/src/tests/security-risk/advisory-source-catalog.behavior.spec.ts
new file mode 100644
index 000000000..a0041dace
--- /dev/null
+++ b/src/Web/StellaOps.Web/src/tests/security-risk/advisory-source-catalog.behavior.spec.ts
@@ -0,0 +1,265 @@
+import '@angular/compiler';
+import { provideNoopAnimations } from '@angular/platform-browser/animations';
+import { ComponentFixture, TestBed } from '@angular/core/testing';
+import { BrowserTestingModule, platformBrowserTesting } from '@angular/platform-browser/testing';
+import { provideRouter } from '@angular/router';
+import { of } from 'rxjs';
+import { signal } from '@angular/core';
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+
+import { AdvisorySourceCatalogComponent } from '../../app/features/integrations/advisory-vex-sources/advisory-source-catalog.component';
+import { SourceManagementApi } from '../../app/features/integrations/advisory-vex-sources/source-management.api';
+import { MirrorManagementApi } from '../../app/features/integrations/advisory-vex-sources/mirror-management.api';
+import { PlatformContextStore } from '../../app/core/context/platform-context.store';
+
+try {
+ TestBed.initTestEnvironment(BrowserTestingModule, platformBrowserTesting());
+} catch (error) {
+ if (!(error instanceof Error) || !error.message.includes('Cannot set base providers')) {
+ throw error;
+ }
+}
+
+describe('AdvisorySourceCatalogComponent behavior', () => {
+ let fixture: ComponentFixture;
+ let component: AdvisorySourceCatalogComponent;
+ let sourceApi: jest.Mocked;
+ let mirrorApi: jest.Mocked;
+
+ const contextStore = {
+ advisoryCategories: signal([]),
+ } as Partial;
+
+ beforeEach(async () => {
+ sourceApi = {
+ getCatalog: jest.fn(),
+ getStatus: jest.fn(),
+ enableSource: jest.fn(),
+ disableSource: jest.fn(),
+ checkAll: jest.fn(),
+ checkSource: jest.fn(),
+ batchEnable: jest.fn(),
+ batchDisable: jest.fn(),
+ getCheckResult: jest.fn(),
+ syncSource: jest.fn(),
+ syncAll: jest.fn(),
+ getSourceMetrics: jest.fn(),
+ } as unknown as jest.Mocked;
+
+ mirrorApi = {
+ getConfig: jest.fn(),
+ getHealthSummary: jest.fn(),
+ createDomain: jest.fn(),
+ generateDomain: jest.fn(),
+ listDomains: jest.fn(),
+ getDomainConfig: jest.fn(),
+ getDomainEndpoints: jest.fn(),
+ testMirror: jest.fn(),
+ saveConsumerConfig: jest.fn(),
+ getConsumerConfig: jest.fn(),
+ discoverDomains: jest.fn(),
+ discoverSignature: jest.fn(),
+ updateConfig: jest.fn(),
+ importBundle: jest.fn(),
+ getImportStatus: jest.fn(),
+ } as unknown as jest.Mocked;
+
+ sourceApi.getCatalog.mockReturnValue(of({
+ items: [
+ {
+ id: 'stella-mirror',
+ displayName: 'StellaOps Mirror',
+ category: 'Mirror',
+ type: 'mirror',
+ description: 'Managed pre-aggregated advisory mirror',
+ baseEndpoint: 'https://mirror.stella-ops.org',
+ requiresAuth: false,
+ credentialEnvVar: null,
+ credentialUrl: null,
+ documentationUrl: null,
+ defaultPriority: 100,
+ regions: [],
+ tags: [],
+ enabledByDefault: false,
+ },
+ ],
+ totalCount: 1,
+ }));
+ sourceApi.getStatus.mockReturnValue(of({
+ sources: [
+ {
+ sourceId: 'stella-mirror',
+ enabled: false,
+ lastCheck: null,
+ },
+ ],
+ }));
+ sourceApi.getSourceMetrics.mockReturnValue(of({
+ items: [],
+ totalCount: 0,
+ dataAsOf: '2026-04-17T12:00:00Z',
+ }));
+ sourceApi.enableSource.mockReturnValue(of(void 0));
+ sourceApi.disableSource.mockReturnValue(of(void 0));
+ sourceApi.checkSource.mockReturnValue(of({
+ sourceId: 'stella-mirror',
+ status: 'healthy',
+ checkedAt: '2026-04-17T12:00:00Z',
+ latency: '10ms',
+ errorMessage: null,
+ errorCode: null,
+ httpStatusCode: 200,
+ possibleReasons: [],
+ remediationSteps: [],
+ isHealthy: true,
+ }));
+ sourceApi.batchEnable.mockReturnValue(of({ results: [] }));
+ sourceApi.batchDisable.mockReturnValue(of({ results: [] }));
+ sourceApi.syncSource.mockReturnValue(of({
+ sourceId: 'stella-mirror',
+ jobKind: 'source:stella-mirror:fetch',
+ outcome: 'accepted',
+ runId: 'run-1',
+ message: null,
+ }));
+
+ mirrorApi.getConfig.mockReturnValue(of({
+ mode: 'Direct',
+ consumerMirrorUrl: null,
+ consumerConnected: false,
+ lastConsumerSync: null,
+ }));
+ mirrorApi.getHealthSummary.mockReturnValue(of({
+ totalDomains: 0,
+ freshCount: 0,
+ staleCount: 0,
+ neverGeneratedCount: 0,
+ totalAdvisoryCount: 0,
+ }));
+
+ await TestBed.configureTestingModule({
+ imports: [AdvisorySourceCatalogComponent],
+ providers: [
+ provideRouter([]),
+ provideNoopAnimations(),
+ { provide: SourceManagementApi, useValue: sourceApi },
+ { provide: MirrorManagementApi, useValue: mirrorApi },
+ { provide: PlatformContextStore, useValue: contextStore },
+ ],
+ }).compileComponents();
+
+ fixture = TestBed.createComponent(AdvisorySourceCatalogComponent);
+ component = fixture.componentInstance;
+ });
+
+ afterEach(() => {
+ fixture?.destroy();
+ TestBed.resetTestingModule();
+ sourceApi.getCatalog.mockReset();
+ sourceApi.getStatus.mockReset();
+ sourceApi.enableSource.mockReset();
+ sourceApi.disableSource.mockReset();
+ sourceApi.checkSource.mockReset();
+ sourceApi.batchEnable.mockReset();
+ sourceApi.batchDisable.mockReset();
+ sourceApi.syncSource.mockReset();
+ sourceApi.getSourceMetrics.mockReset();
+ mirrorApi.getConfig.mockReset();
+ mirrorApi.getHealthSummary.mockReset();
+ });
+
+ it('shows an advisories-off banner when no sources are enabled', async () => {
+ fixture.detectChanges();
+ await fixture.whenStable();
+ fixture.detectChanges();
+
+ const banner = fixture.nativeElement.querySelector('.banner--warning');
+ expect(component.enabledCount()).toBe(0);
+ expect(banner?.textContent).toContain('Advisories and VEX are currently turned off');
+ expect(banner?.textContent).toContain('Enable StellaOps Mirror');
+ });
+
+ it('enables StellaOps Mirror from the banner CTA and refreshes status', async () => {
+ fixture.detectChanges();
+ await fixture.whenStable();
+ fixture.detectChanges();
+
+ const statusCallsBefore = sourceApi.getStatus.mock.calls.length;
+ const metricsCallsBefore = sourceApi.getSourceMetrics.mock.calls.length;
+
+ component.enableDefaultMirror();
+
+ expect(sourceApi.enableSource).toHaveBeenCalledWith('stella-mirror');
+ expect(sourceApi.getStatus.mock.calls.length).toBe(statusCallsBefore + 1);
+ expect(sourceApi.getSourceMetrics.mock.calls.length).toBe(metricsCallsBefore + 1);
+ });
+
+ it('hides the advisories-off banner when at least one source is enabled', async () => {
+ sourceApi.getStatus.mockReturnValue(of({
+ sources: [
+ {
+ sourceId: 'stella-mirror',
+ enabled: true,
+ lastCheck: null,
+ },
+ ],
+ }));
+
+ fixture.detectChanges();
+ await fixture.whenStable();
+ fixture.detectChanges();
+
+ const banner = fixture.nativeElement.querySelector('.banner--warning');
+ expect(component.enabledCount()).toBe(1);
+ expect(banner).toBeFalsy();
+ });
+
+ it('shows a top-level warning when an enabled source has a sync error', async () => {
+ sourceApi.getStatus.mockReturnValue(of({
+ sources: [
+ {
+ sourceId: 'stella-mirror',
+ enabled: true,
+ lastCheck: null,
+ },
+ ],
+ }));
+ sourceApi.getSourceMetrics.mockReturnValue(of({
+ items: [
+ {
+ sourceId: 'stella-mirror',
+ sourceKey: 'stella-mirror',
+ sourceName: 'StellaOps Mirror',
+ totalAdvisories: 0,
+ signedAdvisories: 0,
+ unsignedAdvisories: 0,
+ lastSuccessAt: null,
+ lastSyncAt: '2026-04-18T10:00:00Z',
+ syncCount: 0,
+ errorCount: 1,
+ freshnessStatus: 'unavailable',
+ freshnessAgeSeconds: 0,
+ freshnessSlaSeconds: 0,
+ lastError: 'RemoteCertificateNameMismatch',
+ },
+ ],
+ totalCount: 1,
+ dataAsOf: '2026-04-18T10:00:00Z',
+ }));
+
+ fixture.detectChanges();
+ await fixture.whenStable();
+ fixture.detectChanges();
+
+ const banners = Array.from(fixture.nativeElement.querySelectorAll('.banner--warning')) as HTMLElement[];
+ const attentionBanner = banners.find((banner) =>
+ banner.textContent?.includes('enabled advisory source') &&
+ banner.textContent?.includes('RemoteCertificateNameMismatch'));
+
+ expect(component.enabledCount()).toBe(1);
+ expect(component.enabledSourceFailures().length).toBe(1);
+ expect(attentionBanner?.textContent).toContain('enabled advisory source');
+ expect(attentionBanner?.textContent).toContain('RemoteCertificateNameMismatch');
+ expect(attentionBanner?.textContent).toContain('Configure Mirror');
+ });
+});
+