feat(concelier): multi-sprint batch (mirror domain + advisory sources + durable runtime + credentials)

Bundled commit covering pre-session work from multiple Concelier sprints
already archived or in-flight:
- SPRINT_20260419_006: mirror domain / source key validation
- SPRINT_20260419_029 / 030: durable jobs orchestrator runtime + endpoint verification
- SPRINT_20260421_001: advisory source projection truthful counts
- SPRINT_20260421_002: FE advisory source consistency (connector-side bits)
- SPRINT_20260421_003: advisory connector runtime alignment
- SPRINT_20260422_003: source credential entry paths (in-flight)

Includes connector internals (ACSC / Adobe / CERT-BUND / Chromium / Cisco /
CVE-KEV / GHSA / JVN / KISA / MSRC / Oracle / Ubuntu), source management
endpoints, mirror domain management, federation endpoints, topology setup,
job registration, and associated dossier updates under
docs/modules/concelier/.

This commit groups ~229 file changes that accumulated across the above
sprints; individual changes are preserved at file granularity so blame
remains useful.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/modules/concelier/operations/connectors/chromium.md

@@ -1,26 +1,49 @@
 # Concelier Chromium Connector - Operations Runbook
 
-_Last updated: 2026-01-16_
+_Last updated: 2026-04-22_
 
 ## 1. Overview
-The Chromium connector ingests Chromium security advisories and maps them to canonical IDs.
+
+The Chromium connector ingests Chromium security advisories and maps them to canonical IDs. The canonical runtime source ID is `chromium`.
 
 ## 2. Authentication
+
 - No authentication required for public advisories.
 
-## 3. Configuration (`concelier.yaml`)
+## 3. Configuration paths
+
+Primary operator path:
+
+- Web UI: **Security Posture -> Configure Sources** or **Ops -> Operations -> Feeds & Airgap -> Configure Sources**
+- CLI:
+  ```bash
+  stella db connectors configure chromium \
+    --server https://concelier.example.internal \
+    --set feedUri=https://mirror.example.internal/chromium/atom.xml
+  ```
+
+The Chromium connector does not require credentials. Use the UI/CLI configuration path only when overriding the canonical Chrome Releases Atom feed for a mirror or controlled ingestion path.
+
+Compatibility fallback (`concelier.yaml`):
+
 ```yaml
 concelier:
   sources:
     chromium:
-      baseUri: "<chromium-advisory-base>"
-      maxDocumentsPerFetch: 20
-      fetchTimeout: "00:00:45"
-      requestDelay: "00:00:00"
+      feedUri: "https://chromereleases.googleblog.com/atom.xml"
+      initialBackfill: "30.00:00:00"
+      windowOverlap: "2.00:00:00"
+      maxFeedPages: 4
+      maxEntriesPerPage: 50
 ```
 
 ## 4. Offline and air-gapped deployments
-- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+- Mirror the Atom feed and referenced post pages into the Offline Kit.
+- Repoint `feedUri` to the mirrored allowlisted endpoint.
 
 ## 5. Common failure modes
-- Feed cadence shifts during Chromium release trains.
+
+- Feed cadence shifts during Chromium release trains
+- Google changes the Atom feed or post markup used for stable-channel parsing
+- Operators mirror post pages but not the Atom feed that seeds discovery