todays product advirories implemented

docs/modules/concelier/connectors.md

@@ -1,7 +1,39 @@
 # Concelier Connectors
 
-This index lists Concelier connectors and links to their operational runbooks. For detailed procedures and alerting, see `docs/modules/concelier/operations/connectors/`.
+This index lists Concelier connectors, their status, authentication expectations, and links to operational runbooks. For procedures and alerting, see `docs/modules/concelier/operations/connectors/`.
 
-| Connector | Source ID | Purpose | Ops Runbook |
-| --- | --- | --- | --- |
-| EPSS | `epss` | FIRST.org EPSS exploitation probability feed | `docs/modules/concelier/operations/connectors/epss.md` |
+| Connector | Source ID | Status | Auth | Ops Runbook |
+| --- | --- | --- | --- | --- |
+| NVD (NIST) | `nvd` | stable | api-key | [docs/modules/concelier/operations/connectors/nvd.md](docs/modules/concelier/operations/connectors/nvd.md) |
+| CVE (MITRE) | `cve` | stable | none | [docs/modules/concelier/operations/connectors/cve.md](docs/modules/concelier/operations/connectors/cve.md) |
+| OSV | `osv` | stable | none | [docs/modules/concelier/operations/connectors/osv.md](docs/modules/concelier/operations/connectors/osv.md) |
+| GHSA | `ghsa` | stable | api-token | [docs/modules/concelier/operations/connectors/ghsa.md](docs/modules/concelier/operations/connectors/ghsa.md) |
+| EPSS | `epss` | stable | none | [docs/modules/concelier/operations/connectors/epss.md](docs/modules/concelier/operations/connectors/epss.md) |
+| Alpine SecDB | `alpine` | stable | none | [docs/modules/concelier/operations/connectors/alpine.md](docs/modules/concelier/operations/connectors/alpine.md) |
+| Debian Security Tracker | `debian` | stable | none | [docs/modules/concelier/operations/connectors/debian.md](docs/modules/concelier/operations/connectors/debian.md) |
+| Ubuntu USN | `ubuntu` | stable | none | [docs/modules/concelier/operations/connectors/ubuntu.md](docs/modules/concelier/operations/connectors/ubuntu.md) |
+| Red Hat OVAL/CSAF | `redhat` | stable | none | [docs/modules/concelier/operations/connectors/redhat.md](docs/modules/concelier/operations/connectors/redhat.md) |
+| SUSE OVAL/CSAF | `suse` | stable | none | [docs/modules/concelier/operations/connectors/suse.md](docs/modules/concelier/operations/connectors/suse.md) |
+| Astra Linux | `astra` | beta | none | [docs/modules/concelier/operations/connectors/astra.md](docs/modules/concelier/operations/connectors/astra.md) |
+| CISA KEV | `kev` | stable | none | [docs/modules/concelier/operations/connectors/cve-kev.md](docs/modules/concelier/operations/connectors/cve-kev.md) |
+| CISA ICS-CERT | `ics-cisa` | stable | none | [docs/modules/concelier/operations/connectors/ics-cisa.md](docs/modules/concelier/operations/connectors/ics-cisa.md) |
+| CERT-CC | `cert-cc` | stable | none | [docs/modules/concelier/operations/connectors/cert-cc.md](docs/modules/concelier/operations/connectors/cert-cc.md) |
+| CERT-FR | `cert-fr` | stable | none | [docs/modules/concelier/operations/connectors/cert-fr.md](docs/modules/concelier/operations/connectors/cert-fr.md) |
+| CERT-Bund | `cert-bund` | stable | none | [docs/modules/concelier/operations/connectors/certbund.md](docs/modules/concelier/operations/connectors/certbund.md) |
+| CERT-In | `cert-in` | stable | none | [docs/modules/concelier/operations/connectors/cert-in.md](docs/modules/concelier/operations/connectors/cert-in.md) |
+| ACSC | `acsc` | stable | none | [docs/modules/concelier/operations/connectors/acsc.md](docs/modules/concelier/operations/connectors/acsc.md) |
+| CCCS | `cccs` | stable | none | [docs/modules/concelier/operations/connectors/cccs.md](docs/modules/concelier/operations/connectors/cccs.md) |
+| KISA | `kisa` | stable | none | [docs/modules/concelier/operations/connectors/kisa.md](docs/modules/concelier/operations/connectors/kisa.md) |
+| JVN | `jvn` | stable | none | [docs/modules/concelier/operations/connectors/jvn.md](docs/modules/concelier/operations/connectors/jvn.md) |
+| FSTEC BDU | `fstec-bdu` | beta | none | [docs/modules/concelier/operations/connectors/fstec-bdu.md](docs/modules/concelier/operations/connectors/fstec-bdu.md) |
+| NKCKI | `nkcki` | beta | none | [docs/modules/concelier/operations/connectors/nkcki.md](docs/modules/concelier/operations/connectors/nkcki.md) |
+| Microsoft MSRC | `msrc` | stable | none | [docs/modules/concelier/operations/connectors/msrc.md](docs/modules/concelier/operations/connectors/msrc.md) |
+| Cisco PSIRT | `cisco` | stable | oauth | [docs/modules/concelier/operations/connectors/cisco.md](docs/modules/concelier/operations/connectors/cisco.md) |
+| Oracle CPU | `oracle` | stable | none | [docs/modules/concelier/operations/connectors/oracle.md](docs/modules/concelier/operations/connectors/oracle.md) |
+| VMware | `vmware` | stable | none | [docs/modules/concelier/operations/connectors/vmware.md](docs/modules/concelier/operations/connectors/vmware.md) |
+| Adobe PSIRT | `adobe` | stable | none | [docs/modules/concelier/operations/connectors/adobe.md](docs/modules/concelier/operations/connectors/adobe.md) |
+| Apple Security | `apple` | stable | none | [docs/modules/concelier/operations/connectors/apple.md](docs/modules/concelier/operations/connectors/apple.md) |
+| Chromium | `chromium` | stable | none | [docs/modules/concelier/operations/connectors/chromium.md](docs/modules/concelier/operations/connectors/chromium.md) |
+| Kaspersky ICS-CERT | `kaspersky-ics` | beta | none | [docs/modules/concelier/operations/connectors/kaspersky-ics.md](docs/modules/concelier/operations/connectors/kaspersky-ics.md) |
+
+**Reason Codes Reference:** [docs/modules/concelier/operations/connectors/reason-codes.md](docs/modules/concelier/operations/connectors/reason-codes.md)

docs/modules/concelier/operations/connectors/acsc.md

@@ -0,0 +1,26 @@
+# Concelier ACSC Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The ACSC connector ingests Australian Cyber Security Centre advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    acsc:
+      baseUri: "<acsc-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror ACSC feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Feed schema updates.

docs/modules/concelier/operations/connectors/adobe.md

@@ -0,0 +1,26 @@
+# Concelier Adobe PSIRT Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Adobe connector ingests Adobe PSIRT advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public advisories.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    adobe:
+      baseUri: "<adobe-psirt-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Upstream format changes or delayed bulletin updates.

docs/modules/concelier/operations/connectors/astra.md

@@ -0,0 +1,27 @@
+# Concelier Astra Linux Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Astra Linux connector ingests regional Astra advisories and maps them to Astra package versions.
+
+## 2. Authentication
+- No authentication required for public feeds unless a mirrored source enforces access controls.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    astra:
+      baseUri: "<astra-advisory-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror Astra advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Regional mirror availability.
+- Non-standard versioning metadata.

docs/modules/concelier/operations/connectors/cert-cc.md

@@ -0,0 +1,26 @@
+# Concelier CERT-CC Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The CERT-CC connector ingests CERT-CC vulnerability advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    cert-cc:
+      baseUri: "<cert-cc-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror CERT-CC feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Source throttling or feed schema changes.

docs/modules/concelier/operations/connectors/cert-fr.md

@@ -0,0 +1,26 @@
+# Concelier CERT-FR Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The CERT-FR connector ingests CERT-FR advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    cert-fr:
+      baseUri: "<cert-fr-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror CERT-FR feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Schema changes or feed outages.

docs/modules/concelier/operations/connectors/cert-in.md

@@ -0,0 +1,26 @@
+# Concelier CERT-In Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The CERT-In connector ingests CERT-In advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    cert-in:
+      baseUri: "<cert-in-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror CERT-In feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Feed format changes or intermittent availability.

docs/modules/concelier/operations/connectors/chromium.md

@@ -0,0 +1,26 @@
+# Concelier Chromium Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Chromium connector ingests Chromium security advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public advisories.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    chromium:
+      baseUri: "<chromium-advisory-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Feed cadence shifts during Chromium release trains.

docs/modules/concelier/operations/connectors/cve.md

@@ -0,0 +1,27 @@
+# Concelier CVE (MITRE) Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The CVE connector ingests MITRE CVE records to provide canonical IDs and record metadata.
+
+## 2. Authentication
+- No authentication required for public CVE feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    cve:
+      baseUri: "<cve-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror the CVE feed into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Upstream feed lag or pagination errors.
+- Schema validation errors on upstream record changes.

docs/modules/concelier/operations/connectors/debian.md

@@ -0,0 +1,27 @@
+# Concelier Debian Security Tracker Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Debian connector ingests Debian Security Tracker advisories and maps them to Debian package versions.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    debian:
+      baseUri: "<debian-tracker-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror tracker feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Format changes in tracker exports.
+- Missing release metadata for legacy suites.

docs/modules/concelier/operations/connectors/fstec-bdu.md

@@ -0,0 +1,27 @@
+# Concelier FSTEC BDU Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The FSTEC BDU connector ingests the Russian BDU vulnerability database and maps entries to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds unless a regional mirror enforces access controls.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    fstec-bdu:
+      baseUri: "<fstec-bdu-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror BDU data into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Regional mirror availability.
+- Non-standard identifier formats.

docs/modules/concelier/operations/connectors/jvn.md

@@ -0,0 +1,26 @@
+# Concelier JVN Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The JVN connector ingests Japan Vulnerability Notes (JVN) advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    jvn:
+      baseUri: "<jvn-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror JVN feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Feed format changes or upstream outages.

docs/modules/concelier/operations/connectors/kaspersky-ics.md

@@ -0,0 +1,26 @@
+# Concelier Kaspersky ICS-CERT Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Kaspersky ICS-CERT connector ingests ICS/SCADA advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public advisories unless a mirror enforces access controls.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    kaspersky-ics:
+      baseUri: "<kaspersky-ics-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Feed availability gaps for legacy advisories.

docs/modules/concelier/operations/connectors/nvd.md

@@ -0,0 +1,32 @@
+# Concelier NVD Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The NVD connector ingests CVE records and CVSS metadata from the NVD feed to enrich advisory observations.
+
+## 2. Authentication
+- Requires an API key configured in `concelier.yaml` under `sources.nvd.auth`.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    nvd:
+      baseUri: "<nvd-api-base>"
+      auth:
+        type: "api-key"
+        header: "apiKey"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror the NVD feed into the Offline Kit and repoint `baseUri` to the mirror.
+- Keep fetch ordering deterministic by maintaining stable paging settings.
+
+## 5. Common failure modes
+- Missing/invalid API key.
+- Upstream rate limits.
+- Schema validation errors on malformed payloads.

docs/modules/concelier/operations/connectors/oracle.md

@@ -0,0 +1,26 @@
+# Concelier Oracle CPU Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Oracle connector ingests Oracle Critical Patch Update advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public advisories.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    oracle:
+      baseUri: "<oracle-cpu-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror CPU advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Schedule drift during quarterly CPU updates.

docs/modules/concelier/operations/connectors/reason-codes.md

@@ -0,0 +1,13 @@
+# Concelier Connector Reason Codes
+
+_Last updated: 2026-01-16_
+
+This reference lists deterministic reason codes emitted by `stella db connectors status|list|test` outputs.
+
+| Code | Category | Meaning | Remediation |
+| --- | --- | --- | --- |
+| CON_RATE_001 | degraded | Upstream rate limit or throttling detected. | Reduce fetch cadence, honor `Retry-After`, or request higher quotas. |
+| CON_UPSTREAM_002 | failed | Upstream service unreachable or returning persistent errors. | Check upstream availability, retry with backoff, or switch to mirror. |
+| CON_TIMEOUT_001 | failed | Connector test exceeded timeout window. | Increase `--timeout` or troubleshoot network latency. |
+| CON_UNKNOWN_001 | unknown | No status data reported for enabled connector. | Verify scheduler and connector logs. |
+| CON_DISABLED_001 | disabled | Connector is disabled in configuration. | Enable in concelier configuration if required. |

docs/modules/concelier/operations/connectors/redhat.md

@@ -0,0 +1,27 @@
+# Concelier Red Hat OVAL/CSAF Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Red Hat connector ingests Red Hat OVAL/CSAF advisories and maps them to RHEL package versions.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    redhat:
+      baseUri: "<redhat-csaf-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror the CSAF feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Upstream CSAF schema changes.
+- Missing mappings for EUS or archived releases.

docs/modules/concelier/operations/connectors/suse.md

@@ -0,0 +1,27 @@
+# Concelier SUSE OVAL/CSAF Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The SUSE connector ingests SUSE OVAL/CSAF advisories and maps them to SUSE package versions.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    suse:
+      baseUri: "<suse-csaf-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror the CSAF feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Upstream CSAF schema changes.
+- Missing mappings for legacy maintenance releases.

docs/modules/concelier/operations/connectors/ubuntu.md

@@ -0,0 +1,26 @@
+# Concelier Ubuntu USN Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Ubuntu connector ingests Ubuntu Security Notices (USN) and maps advisories to Ubuntu package versions.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    ubuntu:
+      baseUri: "<ubuntu-usn-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror USN feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- USN schema updates or missing release references.

docs/modules/concelier/operations/connectors/vmware.md

@@ -0,0 +1,26 @@
+# Concelier VMware Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The VMware connector ingests VMware security advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public advisories.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    vmware:
+      baseUri: "<vmware-advisory-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Upstream format changes.