stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
docs/features/unchecked/excititor/automatic-code-not-reachable-vex-justification-generation.md Normal file
View File

@@ -0,0 +1,31 @@
# Automatic code_not_reachable VEX Justification Generation
## Module
Excititor
## Status
IMPLEMENTED
## Description
Automatically generates VEX `code_not_reachable` justifications when reachability slice verdict is "unreachable", including slice digest as evidence reference and supporting OpenVEX, CSAF, and CycloneDX formats. Auto-generated justifications require human approval by default.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/Justification/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/Reachability/`
- **Key Classes**:
- `VexNotReachableJustification` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/VexNotReachableJustification.cs`) - generates `code_not_reachable` justifications from reachability data
- `ReachabilityJustificationGenerator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Justification/ReachabilityJustificationGenerator.cs`) - generates justifications from reachability slice verdicts
- `VexDowngradeGenerator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/VexDowngradeGenerator.cs`) - generates VEX downgrade statements when code is unreachable
- `AutoVexDowngradeService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/AutoVexDowngradeService.cs`) - service orchestrating auto-VEX downgrade workflow
- `ReachabilityLatticeUpdater` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/ReachabilityLatticeUpdater.cs`) - updates lattice state with reachability evidence
- `TimeBoxedConfidence` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/TimeBoxedConfidence.cs`) - time-bounded confidence for auto-generated justifications
- `SliceVerdictConsumer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Reachability/SliceVerdictConsumer.cs`) - consumes reachability slice verdicts
- **Interfaces**: `ISliceVerdictConsumer`
- **Source**: SPRINT_3830_0001_0001_vex_integration_policy_binding.md
## E2E Test Plan
- [ ] Trigger a reachability slice verdict of "unreachable" and verify `VexNotReachableJustification` generates a `code_not_reachable` justification
- [ ] Verify the generated justification includes the slice digest as evidence reference
- [ ] Verify `AutoVexDowngradeService` marks auto-generated justifications as requiring human approval by default
- [ ] Verify `TimeBoxedConfidence` applies time-bounded confidence decay to auto-generated justifications
- [ ] Verify generated justifications are compatible with OpenVEX, CSAF, and CycloneDX export formats
- [ ] Verify `ReachabilityLatticeUpdater` updates the lattice state when reachability evidence changes

30
docs/features/unchecked/excititor/excititor-vex-escalation-service.md Normal file
View File

@@ -0,0 +1,30 @@
# Excititor VEX escalation service
## Module
Excititor
## Status
IMPLEMENTED
## Description
Excititor module with auto-VEX justification, calibration comparison engine, CycloneDX export, and export engine with test coverage.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`, `src/Excititor/__Libraries/StellaOps.Excititor.Export/`
- **Key Classes**:
- `AutoVexDowngradeService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/AutoVexDowngradeService.cs`) - orchestrates auto-VEX downgrade and escalation
- `CalibrationComparisonEngine` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/CalibrationComparisonEngine.cs`) - compares calibration results for post-mortem analysis
- `DriftGateIntegration` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/DriftGateIntegration.cs`) - integrates drift detection with VEX escalation
- `ExportEngine` (`src/Excititor/__Libraries/StellaOps.Excititor.Export/ExportEngine.cs`) - multi-format VEX export engine (OpenVEX, CycloneDX, CSAF)
- `VexConsensusResolver` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusResolver.cs`) - resolves consensus across multiple VEX sources
- `VexConsensusRefreshService` (`src/Excititor/StellaOps.Excititor.Worker/Scheduling/VexConsensusRefreshService.cs`) - scheduled refresh of VEX consensus
- **Interfaces**: `IVexConsensusPolicy`, `IVexExportStore`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Trigger a VEX escalation when conflicting claims are detected and verify `AutoVexDowngradeService` produces the correct escalated status
- [ ] Verify `CalibrationComparisonEngine` compares pre/post calibration snapshots and reports differences
- [ ] Verify `DriftGateIntegration` escalates VEX status when drift is detected in container images
- [ ] Export VEX data via `ExportEngine` in CycloneDX format and verify schema compliance
- [ ] Verify `VexConsensusResolver` resolves multi-source conflicts deterministically
- [ ] Verify `VexConsensusRefreshService` periodically refreshes consensus and detects status changes

28
docs/features/unchecked/excititor/excititor-vex-evidence-chunk-service.md Normal file
View File

@@ -0,0 +1,28 @@
# Excititor VEX Evidence Chunk Service
## Module
Excititor
## Status
IMPLEMENTED
## Description
Chunked evidence service for VEX data that splits large evidence payloads into manageable chunks for API transport and storage.
## Implementation Details
- **Modules**: `src/Excititor/StellaOps.Excititor.WebService/Services/`, `src/Excititor/StellaOps.Excititor.WebService/Endpoints/`
- **Key Classes**:
- `VexEvidenceChunkService` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexEvidenceChunkService.cs`) - splits large VEX evidence payloads into chunks for transport
- `EvidenceEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/EvidenceEndpoints.cs`) - REST endpoints for evidence chunk operations
- `VexEvidenceChunkContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/VexEvidenceChunkContracts.cs`) - API contracts for evidence chunks
- `VexEvidenceContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/VexEvidenceContracts.cs`) - API contracts for evidence data
- **Interfaces**: None (uses concrete service)
- **Source**: Sprints 0119 (batch_14/file_19.md)
## E2E Test Plan
- [ ] Submit a large VEX evidence payload and verify `VexEvidenceChunkService` splits it into chunks within size limits
- [ ] Retrieve chunked evidence via `EvidenceEndpoints` and verify all chunks can be reassembled into the original payload
- [ ] Verify chunk ordering is preserved and each chunk includes a sequence number
- [ ] Verify `VexEvidenceChunkContracts` response includes chunk count and total size metadata
- [ ] Verify chunked transport handles partial failures gracefully (retry individual chunks)
- [ ] Verify large evidence payloads (>10MB) are chunked without memory issues

30
docs/features/unchecked/excititor/excititor-vex-justification-normalization-api.md Normal file
View File

@@ -0,0 +1,30 @@
# Excititor VEX Justification Normalization API
## Module
Excititor
## Status
IMPLEMENTED
## Description
Normalized VEX justification projections served at a REST endpoint, enabling consumers to retrieve standardized VEX observation data for vulnerability/product combinations.
## Implementation Details
- **Modules**: `src/Excititor/StellaOps.Excititor.WebService/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/`
- **Key Classes**:
- `VexObservationProjectionService` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexObservationProjectionService.cs`) - projects normalized VEX observations for API consumption
- `ObservationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/ObservationEndpoints.cs`) - REST endpoints for VEX observation queries
- `VexObservationContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/VexObservationContracts.cs`) - API contracts for observation responses
- `VexObservationQueryService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexObservationQueryService.cs`) - queries VEX observations by vulnerability/product
- `VexObservation` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexObservation.cs`) - normalized VEX observation model
- `VexNormalizationTelemetryRecorder` (`src/Excititor/StellaOps.Excititor.WebService/Telemetry/VexNormalizationTelemetryRecorder.cs`) - telemetry for normalization operations
- **Interfaces**: `IVexObservationQueryService`, `IVexObservationLookup`
- **Source**: batch_54/file_12.md (Sprint 110 update)
## E2E Test Plan
- [ ] Query normalized VEX observations via `ObservationEndpoints` for a specific CVE and verify standardized response format
- [ ] Verify `VexObservationProjectionService` normalizes observations from multiple VEX formats into a unified projection
- [ ] Verify `VexObservationQueryService` supports filtering by vulnerability ID, product, and status
- [ ] Verify `VexObservationContracts` response includes justification text, status, and evidence references
- [ ] Verify `VexNormalizationTelemetryRecorder` captures telemetry for normalization operations
- [ ] Verify the API returns consistent results regardless of the original VEX format (OpenVEX, CSAF, CycloneDX)

34
docs/features/unchecked/excititor/excititor-vex-observation-and-linkset-stores.md Normal file
View File

@@ -0,0 +1,34 @@
# Excititor VEX Observation and Linkset Stores
## Module
Excititor
## Status
IMPLEMENTED
## Description
PostgreSQL append-only stores for VEX observations and linksets with list endpoints, projection services, and conflict annotation support.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/`, `src/Excititor/StellaOps.Excititor.WebService/Endpoints/`
- **Key Classes**:
- `VexLinksetExtractionService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexLinksetExtractionService.cs`) - extracts linksets from VEX documents
- `AppendOnlyLinksetExtractionService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/AppendOnlyLinksetExtractionService.cs`) - append-only linkset extraction
- `VexLinksetDisagreementService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexLinksetDisagreementService.cs`) - detects and annotates linkset conflicts
- `VexLinkset` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexLinkset.cs`) - linkset model connecting VEX observations
- `VexObservation` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexObservation.cs`) - observation model
- `VexObservationQueryService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexObservationQueryService.cs`) - queries observations
- `LinksetEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/LinksetEndpoints.cs`) - REST endpoints for linkset queries
- `ObservationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/ObservationEndpoints.cs`) - REST endpoints for observation queries
- `VexLinksetListContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/VexLinksetListContracts.cs`) - API contracts for linkset list
- `VexObservationListContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/VexObservationListContracts.cs`) - API contracts for observation list
- **Interfaces**: `IVexObservationStore`, `IVexLinksetStore`, `IAppendOnlyLinksetStore`, `IVexLinksetEventPublisher`, `IVexTimelineEventEmitter`, `IVexTimelineEventStore`
- **Source**: Sprints 0119 I-III (batch_14/file_19-21.md)
## E2E Test Plan
- [ ] Store a VEX observation and verify append-only semantics (no update/delete)
- [ ] Extract linksets via `VexLinksetExtractionService` and verify they connect related observations
- [ ] Verify `VexLinksetDisagreementService` detects conflicting observations and annotates the linkset
- [ ] Query observations via `ObservationEndpoints` and verify pagination and filtering
- [ ] Query linksets via `LinksetEndpoints` and verify they include all related observations
- [ ] Verify timeline events are emitted when observations and linksets are created

30
docs/features/unchecked/excititor/openvex-format-support.md Normal file
View File

@@ -0,0 +1,30 @@
# OpenVEX Format Support
## Module
Excititor
## Status
IMPLEMENTED
## Description
OpenVEX format supported with golden corpus test fixtures for all VEX statuses (affected, not_affected, fixed, under_investigation) and OpenVEX export snapshot tests in the Excititor module.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`, `src/Excititor/__Libraries/StellaOps.Excititor.Export/`
- **Key Classes**:
- `ExportEngine` (`src/Excititor/__Libraries/StellaOps.Excititor.Export/ExportEngine.cs`) - exports VEX data in OpenVEX format
- `VexCanonicalJsonSerializer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexCanonicalJsonSerializer.cs`) - canonical JSON serialization for OpenVEX
- `VexClaim` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexClaim.cs`) - internal VEX claim model normalized from OpenVEX
- `VexConsensus` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensus.cs`) - consensus model supporting OpenVEX statuses
- `VexIngestOrchestrator` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexIngestOrchestrator.cs`) - orchestrates OpenVEX document ingestion
- `IngestEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/IngestEndpoints.cs`) - REST endpoints for VEX ingestion
- **Interfaces**: `IVexExportStore`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Ingest an OpenVEX document via `IngestEndpoints` and verify all statements are normalized into `VexClaim` models
- [ ] Verify all OpenVEX statuses are supported: affected, not_affected, fixed, under_investigation
- [ ] Export VEX data in OpenVEX format via `ExportEngine` and verify JSON schema compliance
- [ ] Verify `VexCanonicalJsonSerializer` produces deterministic OpenVEX output
- [ ] Verify round-trip: ingest an OpenVEX document and export it back to OpenVEX with equivalent content
- [ ] Verify OpenVEX golden corpus test fixtures validate all status combinations

37
docs/features/unchecked/excititor/trust-vector-calibration-system.md Normal file
View File

@@ -0,0 +1,37 @@
# Trust Vector Calibration System
## Module
Excititor
## Status
IMPLEMENTED
## Description
Full trust calibration system including: DefaultTrustVectors (per-source baseline trust), SourceClassificationService, CalibrationManifest (versioned calibration snapshots), CalibrationComparisonEngine (post-mortem comparison), TrustVectorCalibrator with learning rate, and TrustCalibrationService. Distinct from "VEX Source Trust Scoring" which is about individual scoring; this is the calibration/tuning infrastructure.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/`
- **Key Classes**:
- `TrustCalibrationService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/TrustCalibrationService.cs`) - orchestrates trust vector calibration
- `TrustVectorCalibrator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/TrustVectorCalibrator.cs`) - calibrates trust vectors with configurable learning rate
- `CalibrationComparisonEngine` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/CalibrationComparisonEngine.cs`) - post-mortem comparison of calibration snapshots
- `CalibrationManifest` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/CalibrationManifest.cs`) - versioned calibration snapshot model
- `DefaultTrustVectors` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/DefaultTrustVectors.cs`) - per-source baseline trust values
- `SourceClassificationService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/SourceClassificationService.cs`) - classifies VEX sources for trust assignment
- `TrustVector` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/TrustVector.cs`) - trust vector model with multi-dimensional scores
- `TrustWeights` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/TrustWeights.cs`) - configurable trust weights
- `FreshnessCalculator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/FreshnessCalculator.cs`) - calculates freshness component of trust vector
- `ProvenanceScorer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/ProvenanceScorer.cs`) - scores provenance for trust calculation
- `CoverageScorer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/CoverageScorer.cs`) - scores coverage for trust calculation
- `ReplayabilityScorer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/ReplayabilityScorer.cs`) - scores replayability for trust calculation
- **Interfaces**: None (uses concrete calibration pipeline)
- **Source**: SPRINT_7100_0002_0002_source_defaults_calibration.md
## E2E Test Plan
- [ ] Run `TrustCalibrationService` and verify it calibrates trust vectors based on historical VEX accuracy
- [ ] Verify `TrustVectorCalibrator` adjusts trust scores with configurable learning rate (slow convergence)
- [ ] Verify `CalibrationManifest` creates versioned snapshots of calibration state
- [ ] Verify `CalibrationComparisonEngine` compares two manifests and reports trust score drift
- [ ] Verify `DefaultTrustVectors` provides correct baseline values for vendor, distro, and internal sources
- [ ] Verify `SourceClassificationService` classifies new VEX sources into correct categories
- [ ] Verify individual scorers (Freshness, Provenance, Coverage, Replayability) contribute weighted scores to the trust vector

30
docs/features/unchecked/excititor/vex-annotation-and-export.md Normal file
View File

@@ -0,0 +1,30 @@
# VEX annotation and export (OpenVEX + CycloneDX VEX formats)
## Module
Excititor
## Status
IMPLEMENTED
## Description
OpenVEX, CycloneDX, and CSAF VEX normalizers plus consensus export service implement multi-format VEX annotation and export.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Export/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/`
- **Key Classes**:
- `ExportEngine` (`src/Excititor/__Libraries/StellaOps.Excititor.Export/ExportEngine.cs`) - multi-format VEX export engine
- `VexExportManifest` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexExportManifest.cs`) - manifest tracking exported VEX data
- `FileSystemArtifactStore` (`src/Excititor/__Libraries/StellaOps.Excititor.Export/FileSystemArtifactStore.cs`) - file-based storage for exported artifacts
- `VexConsensus` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensus.cs`) - consensus model for export
- `VexCanonicalJsonSerializer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexCanonicalJsonSerializer.cs`) - canonical JSON for deterministic export
- `VexConsensusResolver` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusResolver.cs`) - resolves consensus before export
- **Interfaces**: `IVexArtifactStore`, `IVexExportStore`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Export VEX data in OpenVEX format via `ExportEngine` and verify schema compliance
- [ ] Export VEX data in CycloneDX format and verify CycloneDX VEX schema compliance
- [ ] Export VEX data in CSAF format and verify CSAF schema compliance
- [ ] Verify `VexExportManifest` tracks all exported artifacts with content hashes
- [ ] Verify `VexCanonicalJsonSerializer` produces deterministic output across repeated exports
- [ ] Verify `FileSystemArtifactStore` persists exported artifacts to the configured directory

33
docs/features/unchecked/excititor/vex-claim-normalization.md Normal file
View File

@@ -0,0 +1,33 @@
# VEX Claim Normalization (Multi-Format Ingestion)
## Module
Excititor
## Status
IMPLEMENTED
## Description
Normalization of VEX claims from OpenVEX, CycloneDX VEX, and CSAF formats into canonical internal representation with vendor-specific connectors (Ubuntu, Red Hat, Oracle, Microsoft, Cisco).
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`, `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.*/`
- **Key Classes**:
- `VexClaim` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexClaim.cs`) - canonical VEX claim model
- `VexAdvisoryKeyCanonicalizer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Canonicalization/VexAdvisoryKeyCanonicalizer.cs`) - canonicalizes advisory keys across formats
- `VexProductKeyCanonicalizer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Canonicalization/VexProductKeyCanonicalizer.cs`) - canonicalizes product keys across formats
- `UbuntuCsafConnector` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/UbuntuCsafConnector.cs`) - Ubuntu CSAF ingestion
- `RedHatCsafConnector` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/RedHatCsafConnector.cs`) - Red Hat CSAF ingestion
- `OracleCsafConnector` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/OracleCsafConnector.cs`) - Oracle CSAF ingestion
- `MsrcCsafConnector` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/MsrcCsafConnector.cs`) - Microsoft MSRC CSAF ingestion
- `CiscoCsafConnector` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/CiscoCsafConnector.cs`) - Cisco CSAF ingestion
- `VexIngestOrchestrator` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexIngestOrchestrator.cs`) - orchestrates multi-format ingestion
- **Interfaces**: `VexConnectorBase` (abstract base)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Ingest a CSAF advisory from each vendor connector (Ubuntu, Red Hat, Oracle, Microsoft, Cisco) and verify normalization into `VexClaim`
- [ ] Verify `VexAdvisoryKeyCanonicalizer` produces identical keys for the same advisory across different formats
- [ ] Verify `VexProductKeyCanonicalizer` produces identical product keys for the same product across formats
- [ ] Ingest the same vulnerability from multiple formats (OpenVEX, CSAF, CycloneDX) and verify they normalize to equivalent claims
- [ ] Verify `VexIngestOrchestrator` routes documents to the correct normalizer based on format detection
- [ ] Verify normalization handles vendor-specific fields (Red Hat errata, Microsoft KB articles, Cisco bug IDs)

32
docs/features/unchecked/excititor/vex-claims-resolution-engine.md Normal file
View File

@@ -0,0 +1,32 @@
# VEX Claims Resolution Engine (Multi-Source Merge)
## Module
Excititor
## Status
IMPLEMENTED
## Description
Multi-source VEX claim resolution with policy-controlled merge semantics resolving conflicts between vendor, distro, internal, and scanner claims into a deterministic resolved status.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`
- **Key Classes**:
- `VexConsensusResolver` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusResolver.cs`) - resolves multi-source VEX claims into consensus
- `BaselineVexConsensusPolicy` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/BaselineVexConsensusPolicy.cs`) - baseline policy for consensus resolution
- `VexConsensusPolicyOptions` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusPolicyOptions.cs`) - configurable policy options for merge semantics
- `VexConsensus` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensus.cs`) - resolved consensus model
- `VexConsensusHold` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusHold.cs`) - holds on consensus when manual review is needed
- `ClaimScoreMerger` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/ClaimScoreMerger.cs`) - merges claim scores from multiple sources
- `PolicyLatticeAdapter` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/PolicyLatticeAdapter.cs`) - adapts policy lattice rules for VEX merge
- `TrustWeightRegistry` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/TrustWeightRegistry.cs`) - registry of trust weights per source
- **Interfaces**: `IVexConsensusPolicy`, `IVexLatticeProvider`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Submit conflicting VEX claims (vendor says "fixed", distro says "affected") and verify `VexConsensusResolver` resolves deterministically based on policy
- [ ] Verify `BaselineVexConsensusPolicy` applies default merge rules when no custom policy is configured
- [ ] Verify `ClaimScoreMerger` weights claims by trust level when merging scores
- [ ] Verify `VexConsensusHold` is triggered when claims conflict and manual review is required by policy
- [ ] Verify `TrustWeightRegistry` applies different weights to vendor, distro, internal, and scanner sources
- [ ] Verify resolution is deterministic: same inputs always produce the same consensus output

32
docs/features/unchecked/excititor/vex-cryptographic-verification.md Normal file
View File

@@ -0,0 +1,32 @@
# VEX Cryptographic Verification
## Module
Excititor
## Status
IMPLEMENTED
## Description
Cryptographic signature verification of VEX documents at ingestion time with crypto profile selection and issuer validation.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/`, `src/Excititor/StellaOps.Excititor.Worker/Signature/`
- **Key Classes**:
- `ProductionVexSignatureVerifier` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/ProductionVexSignatureVerifier.cs`) - production signature verifier for VEX documents
- `CryptoProfileSelector` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/CryptoProfileSelector.cs`) - selects crypto profile (FIPS, eIDAS, GOST, SM) based on issuer
- `VerificationCacheService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VerificationCacheService.cs`) - caches verification results for performance
- `VexSignatureVerifierOptions` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexSignatureVerifierOptions.cs`) - configurable verification options
- `VexVerificationModels` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexVerificationModels.cs`) - verification result models
- `VexVerificationMetrics` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexVerificationMetrics.cs`) - metrics for verification operations
- `WorkerSignatureVerifier` (`src/Excititor/StellaOps.Excititor.Worker/Signature/WorkerSignatureVerifier.cs`) - worker-side signature verification
- `VerifyingVexRawDocumentSink` (`src/Excititor/StellaOps.Excititor.Worker/Signature/VerifyingVexRawDocumentSink.cs`) - sink that verifies signatures before persisting
- **Interfaces**: `IVexSignatureVerifierV2`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Ingest a cryptographically signed VEX document and verify `ProductionVexSignatureVerifier` validates the signature
- [ ] Verify `CryptoProfileSelector` selects the correct crypto profile based on the issuer's regional requirements
- [ ] Verify `VerificationCacheService` caches verification results and returns cached results for repeated checks
- [ ] Ingest a VEX document with an invalid signature and verify rejection with a clear error
- [ ] Verify `VerifyingVexRawDocumentSink` rejects unsigned documents when signature verification is required
- [ ] Verify `VexVerificationMetrics` records verification success/failure counts and latency

40
docs/features/unchecked/excititor/vex-delta-persistence-table.md Normal file
View File

@@ -0,0 +1,40 @@
# VEX Delta Persistence Table
## Status
IMPLEMENTED
## Description
Persistent tracking of VEX status transitions between artifact versions with rationale and replay hashes. Schema designed but not implemented.
## Why Marked as Dropped (Correction)
**FINDING: VEX delta persistence IS implemented across multiple modules.** The following exist:
- `src/Excititor/__Libraries/StellaOps.Excititor.Persistence/Postgres/Repositories/PostgresVexDeltaRepository.cs` -- PostgreSQL VEX delta repository
- `src/VexLens/StellaOps.VexLens/Services/VexDeltaComputeService.cs` -- VEX delta computation
- `src/VexLens/StellaOps.VexLens/Mapping/VexDeltaMapper.cs` -- VEX delta data mapping
- `src/VexLens/StellaOps.VexLens/Storage/InMemoryConsensusProjectionStore.cs` -- in-memory projection store
- `src/VexLens/StellaOps.VexLens.Persistence/Repositories/ConsensusProjectionRepository.cs` -- persistent consensus projections
- `src/VexLens/StellaOps.VexLens.Persistence/Postgres/VexLensDataSource.cs` -- PostgreSQL data source
- `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/VexDeltaRepository.cs` -- SBOM lineage VEX delta tracking
- `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Persistence/Migrations/00001_InitialSchema.sql` -- migration with VEX delta tables
- Attestor proof chain predicates: `VexDeltaPredicate.cs`, `VexDeltaSummary.cs`, `VexDeltaChange.cs`, `VexDeltaStatement.cs`
## Implementation Details
- Excititor persistence: `src/Excititor/__Libraries/StellaOps.Excititor.Persistence/Postgres/Repositories/PostgresVexDeltaRepository.cs`
- VexLens computation: `src/VexLens/StellaOps.VexLens/Services/VexDeltaComputeService.cs`
- VexLens mapping: `src/VexLens/StellaOps.VexLens/Mapping/VexDeltaMapper.cs`
- SbomService lineage: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/VexDeltaRepository.cs`
- Attestor predicates: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexDelta*.cs`
## E2E Test Plan
- Verify VEX delta computation tracks status transitions correctly
- Test persistence and retrieval of VEX deltas
- Validate consensus projection store maintains correct state
- Test delta predicates are included in proof chain attestations
## Source
- Feature matrix scan
## Notes
- Module: Excititor
- Modules referenced: `src/Excititor/`, `src/VexLens/`, `src/SbomService/`
- **Status should be reclassified from NOT_FOUND to IMPLEMENTED**

31
docs/features/unchecked/excititor/vex-handling-with-formal-reasoning.md Normal file
View File

@@ -0,0 +1,31 @@
# VEX Handling with Formal Reasoning (Lattice-Based Merge)
## Module
Excititor
## Status
IMPLEMENTED
## Description
VEX handling with a K4 trust lattice engine for deterministic merging of vendor/distro/internal VEX claims, claim score merging, conflict penalization, and disposition selection via policy-driven rules.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/`
- **Key Classes**:
- `ClaimScoreMerger` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/ClaimScoreMerger.cs`) - merges claim scores using lattice algebra with conflict penalization
- `PolicyLatticeAdapter` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/PolicyLatticeAdapter.cs`) - adapts K4 policy lattice for VEX claim merge
- `TrustWeightRegistry` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/TrustWeightRegistry.cs`) - registry of per-source trust weights
- `ClaimScoreCalculator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/ClaimScoreCalculator.cs`) - calculates claim scores from trust vectors
- `ClaimStrength` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/ClaimStrength.cs`) - claim strength model
- `VexScoreEnvelope` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexScoreEnvelope.cs`) - envelope wrapping scored VEX claims
- `VexConsensusResolver` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusResolver.cs`) - resolves consensus using lattice rules
- **Interfaces**: `IVexLatticeProvider`, `IVexConsensusPolicy`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Submit multiple VEX claims for the same vulnerability and verify `ClaimScoreMerger` produces a deterministic merged score using lattice algebra
- [ ] Verify conflict penalization: conflicting claims (affected vs not_affected) reduce the merged score
- [ ] Verify `PolicyLatticeAdapter` applies K4 lattice rules for disposition selection (top > bottom in lattice ordering)
- [ ] Verify `TrustWeightRegistry` applies different weights to vendor, distro, and internal sources
- [ ] Verify `ClaimScoreCalculator` computes scores from multi-dimensional trust vectors
- [ ] Verify the merged result is monotonic: adding more evidence can only increase confidence, not decrease it

30
docs/features/unchecked/excititor/vex-issuer-identity-verification.md Normal file
View File

@@ -0,0 +1,30 @@
# VEX Issuer Identity Verification
## Module
Excititor
## Status
IMPLEMENTED
## Description
Cryptographic verification of VEX issuer identities with signature verification, issuer directory lookup, verification caching, and configurable verification options.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/`, `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/Trust/`
- **Key Classes**:
- `IssuerDirectoryClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/IssuerDirectoryClient.cs`) - looks up issuer public keys from the issuer directory
- `ProductionVexSignatureVerifier` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/ProductionVexSignatureVerifier.cs`) - verifies VEX document signatures against issuer keys
- `VerificationCacheService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VerificationCacheService.cs`) - caches issuer verification results
- `VexSignatureVerifierOptions` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexSignatureVerifierOptions.cs`) - configurable verification options
- `ConnectorSignerMetadata` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/Trust/ConnectorSignerMetadata.cs`) - signer metadata for connector-level trust
- `ConnectorSignerMetadataEnricher` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/Trust/ConnectorSignerMetadataEnricher.cs`) - enriches connector metadata with signer info
- **Interfaces**: `IVexSignatureVerifierV2`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify `IssuerDirectoryClient` looks up issuer public keys from the issuer directory service
- [ ] Verify `ProductionVexSignatureVerifier` validates a VEX document signed by a known issuer
- [ ] Verify rejection when a VEX document is signed by an unknown issuer not in the directory
- [ ] Verify `VerificationCacheService` caches issuer lookup results and returns cached results on repeat queries
- [ ] Verify `ConnectorSignerMetadataEnricher` enriches connector metadata with signer identity info
- [ ] Verify `VexSignatureVerifierOptions` allows configuring verification strictness (strict, permissive, disabled)

32
docs/features/unchecked/excititor/vex-normalization-and-multi-format-ingestion.md Normal file
View File

@@ -0,0 +1,32 @@
# VEX normalization and multi-format ingestion (OpenVEX, CSAF)
## Module
Excititor
## Status
IMPLEMENTED
## Description
VEX normalization, delta mapping, export compatibility testing, and auto-VEX justification across VexLens, VexHub, and Excititor modules.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`, `src/Excititor/StellaOps.Excititor.WebService/`
- **Key Classes**:
- `VexIngestOrchestrator` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexIngestOrchestrator.cs`) - orchestrates multi-format VEX ingestion pipeline
- `VexStatementBackfillService` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexStatementBackfillService.cs`) - backfills VEX statements for historical coverage
- `VexRawDocumentMapper` (`src/Excititor/StellaOps.Excititor.WebService/Extensions/VexRawDocumentMapper.cs`) - maps raw VEX documents to internal models
- `VexRawRequestMapper` (`src/Excititor/StellaOps.Excititor.WebService/Extensions/VexRawRequestMapper.cs`) - maps API requests to raw VEX documents
- `VexHashingService` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexHashingService.cs`) - content-addressed hashing for VEX documents
- `VexDeltaModels` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexDeltaModels.cs`) - delta models for tracking VEX changes
- `VexStatementChangeEvent` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexStatementChangeEvent.cs`) - events for VEX statement changes
- `IngestEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/IngestEndpoints.cs`) - REST endpoints for VEX ingestion
- **Interfaces**: None (uses concrete pipeline)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Ingest an OpenVEX document via `IngestEndpoints` and verify `VexIngestOrchestrator` normalizes it into internal models
- [ ] Ingest a CSAF document and verify equivalent normalization results
- [ ] Verify `VexHashingService` produces content-addressed hashes for deduplication
- [ ] Verify `VexDeltaModels` track changes between ingestion runs (new, modified, removed statements)
- [ ] Verify `VexStatementChangeEvent` is emitted for each statement change
- [ ] Verify `VexStatementBackfillService` backfills missing VEX statements from historical data

35
docs/features/unchecked/excititor/vex-override-workflow-with-attestation-linkage.md Normal file
View File

@@ -0,0 +1,35 @@
# VEX Override Workflow with Attestation Linkage
## Module
Excititor
## Status
IMPLEMENTED
## Description
VEX decision APIs extended with attestation references so overrides are DSSE-signed. Attestor integration mints envelopes for operator decisions with envelope digest and Rekor info persistence. Includes offline stub client.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Attestation/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/`
- **Key Classes**:
- `VexDsseBuilder` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Dsse/VexDsseBuilder.cs`) - builds DSSE envelopes for VEX override decisions
- `VexAttestationClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/VexAttestationClient.cs`) - client for VEX attestation operations
- `VexEvidenceAttestor` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Evidence/VexEvidenceAttestor.cs`) - attests VEX evidence with DSSE signatures
- `VexAttestationVerifier` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs`) - verifies VEX attestation envelopes
- `VexAttestationPredicate` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Models/VexAttestationPredicate.cs`) - predicate model for VEX attestations
- `RekorHttpClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Transparency/RekorHttpClient.cs`) - Rekor transparency log client
- `DsseEvidenceSignatureValidator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/DsseEvidenceSignatureValidator.cs`) - validates DSSE signatures on evidence
- `VexEvidenceLinker` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/VexEvidenceLinker.cs`) - links VEX decisions to supporting evidence
- `AttestationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/AttestationEndpoints.cs`) - REST endpoints for attestation operations
- `RekorAttestationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/RekorAttestationEndpoints.cs`) - Rekor-specific attestation endpoints
- **Interfaces**: `IVexSigner`, `ITransparencyLogClient`, `IVexAttestationVerifier`
- **Source**: SPRINT_20260112_004_VULN_vex_override_workflow.md
## E2E Test Plan
- [ ] Create a VEX override and verify `VexDsseBuilder` mints a DSSE-signed envelope with the operator's decision
- [ ] Verify `VexAttestationClient` persists the envelope digest and Rekor entry info
- [ ] Verify `VexAttestationVerifier` validates the DSSE signature on a VEX override attestation
- [ ] Verify `RekorHttpClient` submits the attestation to the Rekor transparency log and retrieves the entry
- [ ] Verify `VexEvidenceLinker` links the override decision to supporting binary-diff or reachability evidence
- [ ] Verify `DsseEvidenceSignatureValidator` rejects overrides with invalid DSSE signatures
- [ ] Verify attestation endpoints return override history with DSSE envelope and Rekor receipt references

31
docs/features/unchecked/excititor/vex-policy-controlled-trust-and-evidence-requirements.md Normal file
View File

@@ -0,0 +1,31 @@
# VEX Policy-Controlled Trust and Evidence Requirements
## Module
Excititor
## Status
IMPLEMENTED
## Description
Policy-driven trust weights and evidence requirements for VEX claims, with guardrails ensuring safe statuses require evidence satisfaction.
## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`, `src/Excititor/StellaOps.Excititor.WebService/`
- **Key Classes**:
- `BaselineVexConsensusPolicy` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/BaselineVexConsensusPolicy.cs`) - baseline policy with evidence requirements for safe statuses
- `VexConsensusPolicyOptions` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusPolicyOptions.cs`) - configurable policy options for trust and evidence
- `TrustWeightRegistry` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/TrustWeightRegistry.cs`) - per-source trust weight configuration
- `PolicyLatticeAdapter` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/PolicyLatticeAdapter.cs`) - adapts policy engine rules for VEX trust evaluation
- `VexEvidenceLinkOptions` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/VexEvidenceLinkOptions.cs`) - evidence linking requirements configuration
- `PolicyEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/PolicyEndpoints.cs`) - REST endpoints for VEX policy queries
- `PolicyContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/PolicyContracts.cs`) - API contracts for policy data
- **Interfaces**: `IVexConsensusPolicy`, `IVexLatticeProvider`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Configure a policy requiring binary-diff evidence for `not_affected` status and verify claims without evidence are rejected
- [ ] Verify `TrustWeightRegistry` applies configurable trust weights: increase vendor weight and verify vendor claims rank higher
- [ ] Verify `BaselineVexConsensusPolicy` enforces minimum evidence requirements for safe statuses (not_affected, fixed)
- [ ] Verify `PolicyLatticeAdapter` applies K4 lattice rules from the policy engine to VEX trust evaluation
- [ ] Verify `VexEvidenceLinkOptions` requires specific evidence types (reachability, binary-diff) for specific statuses
- [ ] Verify `PolicyEndpoints` returns the active VEX policy configuration

35
docs/features/unchecked/excititor/vex-source-registration-and-verification-pipeline.md Normal file
View File

@@ -0,0 +1,35 @@
# VEX Source Registration and Verification Pipeline
## Module
Excititor
## Status
IMPLEMENTED
## Description
VEX source onboarding pipeline with scheduled provider runners, orchestration, signature verification, and issuer directory integration for multi-vendor VEX ingestion.
## Implementation Details
- **Modules**: `src/Excititor/StellaOps.Excititor.Worker/`, `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/`
- **Key Classes**:
- `VexWorkerHostedService` (`src/Excititor/StellaOps.Excititor.Worker/Scheduling/VexWorkerHostedService.cs`) - background service scheduling provider runs
- `DefaultVexProviderRunner` (`src/Excititor/StellaOps.Excititor.Worker/Scheduling/DefaultVexProviderRunner.cs`) - runs VEX provider connectors on schedule
- `OrchestratorVexProviderRunner` (`src/Excititor/StellaOps.Excititor.Worker/Orchestration/OrchestratorVexProviderRunner.cs`) - orchestrator-managed provider runner
- `VexWorkerOrchestratorClient` (`src/Excititor/StellaOps.Excititor.Worker/Orchestration/VexWorkerOrchestratorClient.cs`) - communicates with orchestrator for work assignment
- `VexWorkerHeartbeatService` (`src/Excititor/StellaOps.Excititor.Worker/Orchestration/VexWorkerHeartbeatService.cs`) - sends heartbeats to orchestrator
- `VexWorkerPluginCatalogLoader` (`src/Excititor/StellaOps.Excititor.Worker/Plugins/VexWorkerPluginCatalogLoader.cs`) - loads available VEX connector plugins
- `VexConnectorBase` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorBase.cs`) - base class for VEX source connectors
- `VexConnectorDescriptor` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorDescriptor.cs`) - descriptor metadata for connectors
- `WorkerSignatureVerifier` (`src/Excititor/StellaOps.Excititor.Worker/Signature/WorkerSignatureVerifier.cs`) - verifies signatures during ingestion
- `VexWorkerSchedule` (`src/Excititor/StellaOps.Excititor.Worker/Scheduling/VexWorkerSchedule.cs`) - schedule configuration for provider runs
- `MirrorRegistrationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/MirrorRegistrationEndpoints.cs`) - REST endpoints for mirror/source registration
- **Interfaces**: `IVexProviderRunner`, `IVexConsensusRefreshScheduler`, `IVexWorkerOrchestratorClient`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Register a new VEX source via `MirrorRegistrationEndpoints` and verify it appears in the plugin catalog
- [ ] Verify `VexWorkerHostedService` schedules provider runs based on `VexWorkerSchedule` configuration
- [ ] Verify `DefaultVexProviderRunner` executes the connector and ingests VEX documents
- [ ] Verify `WorkerSignatureVerifier` validates signatures on ingested documents during the pipeline
- [ ] Verify `VexWorkerHeartbeatService` sends heartbeats to the orchestrator during long-running ingestion
- [ ] Verify `VexWorkerPluginCatalogLoader` discovers and loads all available vendor connectors (Ubuntu, Red Hat, Oracle, Microsoft, Cisco, SUSE)