feat(excititor+cli+web): VEX provider control plane — CLI + Web extensions (SPRINT_20260422_004)
Continues the SPRINT_20260422_004_Concelier_full_connector_control_plane
feature stream started in commit 5c1b59580 (Excititor provider management
endpoints + contracts + service + tests). Adds the CLI + Web surfaces on
top of that backend.
CLI (src/Cli/**):
- CommandHandlers + BackendOperationsClient extended with provider
management calls
- ExcititorProviderSummary model added to the CLI's service models
- NonCoreCliCommandModule wires the new commands; tests updated
- TASKS.md entries synced
Web console (src/Web/StellaOps.Web/**):
- New vex-provider-catalog.component + vex-provider-management.api client
- advisory-source-catalog + advisory-vex-route-helpers extended to route
users to the new VEX provider surface
- integration-hub.routes.ts registers the new route
- security-disposition-page.component.ts updated for the flow
Excititor/Concelier docs + contracts:
- docs/modules/excititor/operations/provider-control-plane.md — operator
guide for the new control plane
- docs/modules/excititor/README.md + docs/modules/concelier/{README,
connectors}.md — cross-links + refs
- ConfiguredAdvisorySourceService.cs — additional provider plumbing
- StellaOps.Excititor.WebService/TASKS.md synced
Sprint doc (docs/implplan/SPRINT_20260422_004_*.md) reflects the
in-flight progress.
This is external-stream work picked up during the 2026-04-22 session's
closeout — bundling it now so the working tree is clean and main stays
in sync with local feature-branch state.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
97
docs/modules/excititor/operations/provider-control-plane.md
Normal file
97
docs/modules/excititor/operations/provider-control-plane.md
Normal file
@@ -0,0 +1,97 @@
|
||||
# Excititor Provider Control Plane
|
||||
|
||||
This document describes the operator-facing control plane for Excititor VEX providers.
|
||||
|
||||
## Operator entry points
|
||||
|
||||
- Web UI: `Ops -> Integrations -> Advisory & VEX Sources -> VEX Providers`
|
||||
- CLI:
|
||||
- `stella excititor list-providers`
|
||||
- `stella excititor show-provider --provider <id>`
|
||||
- `stella excititor enable-provider --provider <id>`
|
||||
- `stella excititor disable-provider --provider <id>`
|
||||
- `stella excititor run-provider --provider <id> [--since ... --window ... --force]`
|
||||
- `stella excititor update-provider --provider <id> ...`
|
||||
|
||||
Backend API:
|
||||
|
||||
- `GET /excititor/providers`
|
||||
- `GET /excititor/providers/{providerId}`
|
||||
- `PUT /excititor/providers/{providerId}`
|
||||
- `POST /excititor/providers/{providerId}/enable`
|
||||
- `POST /excititor/providers/{providerId}/disable`
|
||||
- `POST /excititor/providers/{providerId}/run`
|
||||
|
||||
## Readiness states
|
||||
|
||||
Excititor providers use four runtime readiness states:
|
||||
|
||||
- `ready`: persisted-enabled and the current host has a runnable connector
|
||||
- `blocked`: persisted-enabled but currently cooling down or otherwise not runnable
|
||||
- `disabled`: persisted-disabled
|
||||
- `planned`: cataloged provider without a runnable connector registered on the current host
|
||||
|
||||
`enabled` remains the operator intent flag. A provider can be `enabled=true` and still show `planned` or `blocked`.
|
||||
|
||||
## Provider inventory
|
||||
|
||||
| Provider ID | Kind | Default enabled | Registered in WebService | UI control plane | CLI control plane | Credential / config status | Notes |
|
||||
| --- | --- | --- | --- | --- | --- | --- | --- |
|
||||
| `excititor:redhat` | distro | true | yes | yes | yes | Public defaults; metadata and trust overrides can be persisted through the provider control plane. | Registered by default in `StellaOps.Excititor.WebService`. |
|
||||
| `excititor:ubuntu` | distro | true | yes | yes | yes | Public defaults; metadata and trust overrides can be persisted through the provider control plane. | Registered by default in `StellaOps.Excititor.WebService`. |
|
||||
| `excititor:oracle` | vendor | true | yes | yes | yes | Public defaults; metadata and trust overrides can be persisted through the provider control plane. | Registered by default in `StellaOps.Excititor.WebService`. |
|
||||
| `excititor:cisco` | vendor | true | yes | yes | yes | Public CSAF metadata works without a persisted secret path. Optional API token support exists in connector host options, not in the new persisted UI or CLI surface. | Registered by default in `StellaOps.Excititor.WebService`. |
|
||||
| `excititor:suse-rancher` | hub | false | yes | yes | yes | Discovery and trust metadata can be persisted. Authenticated discovery credentials remain host-config only today. Anonymous discovery can still be allowed by connector options. | Registered by default in `StellaOps.Excititor.WebService`. |
|
||||
| `excititor:oci-openvex` | attestation | false | yes | yes | yes | Provider metadata and trust overrides can be persisted. Image subscriptions, registry credentials, and cosign credential material remain host-config only today. | Registered by default in `StellaOps.Excititor.WebService`. |
|
||||
| `excititor:msrc` | vendor | false | conditional | yes | yes | Persisted provider metadata exists, but MSRC connector credentials and offline token settings remain host-config only today. | Registered only when `Excititor:Connectors:Msrc` exists in host configuration. Otherwise the provider remains `planned`. |
|
||||
|
||||
## What the current provider control plane persists
|
||||
|
||||
The current `update-provider` surface persists:
|
||||
|
||||
- display name
|
||||
- provider kind
|
||||
- base URIs
|
||||
- well-known metadata URI
|
||||
- ROLIE service URI
|
||||
- trust weight
|
||||
- PGP fingerprints
|
||||
- cosign issuer
|
||||
- cosign identity pattern
|
||||
- enabled / disabled intent
|
||||
|
||||
The current provider control plane does not yet persist connector-secret fields such as:
|
||||
|
||||
- MSRC tenant, client ID, client secret, static access token, or offline token path
|
||||
- Rancher Hub token endpoint, client ID, or client secret
|
||||
- OCI registry username, password, identity token, refresh token, cosign key pair, or image subscription list
|
||||
- Cisco optional VEX API token
|
||||
|
||||
Those settings still come from host configuration today. The control plane is truthful about the gap by surfacing `planned` or `blocked` readiness instead of pretending the connector is runnable.
|
||||
|
||||
## Host wiring notes
|
||||
|
||||
- `StellaOps.Excititor.WebService` always registers:
|
||||
- Red Hat CSAF
|
||||
- Ubuntu CSAF
|
||||
- Oracle CSAF
|
||||
- Cisco CSAF
|
||||
- SUSE Rancher VEX Hub
|
||||
- OCI OpenVEX attestations
|
||||
- `StellaOps.Excititor.WebService` registers Microsoft MSRC CSAF only when the `Excititor:Connectors:Msrc` configuration section exists.
|
||||
- `StellaOps.Excititor.Worker` seeds these public defaults when no explicit provider schedule list is supplied:
|
||||
- `excititor:redhat`
|
||||
- `excititor:ubuntu`
|
||||
- `excititor:oracle`
|
||||
- `excititor:cisco`
|
||||
|
||||
## Verification state
|
||||
|
||||
Reverified in Sprint `20260422_004`:
|
||||
|
||||
- targeted backend tests for provider management endpoints passed against `StellaOps.Excititor.WebService.Tests.ProviderManagementEndpointsTests`
|
||||
- Angular route helper spec passed for the new VEX provider route
|
||||
- Angular development build passed with the new provider catalog page
|
||||
- CLI provider inspection and control verbs were added for the backend surface
|
||||
|
||||
The verification above covers the provider control plane and readiness behavior. It does not claim a fresh live ingest verification run for every upstream VEX provider in this sprint.
|
||||
Reference in New Issue
Block a user