todays product advirories implemented

docs/modules/concelier/operations/connectors/acsc.md

@@ -0,0 +1,26 @@
+# Concelier ACSC Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The ACSC connector ingests Australian Cyber Security Centre advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    acsc:
+      baseUri: "<acsc-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror ACSC feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Feed schema updates.

docs/modules/concelier/operations/connectors/adobe.md

@@ -0,0 +1,26 @@
+# Concelier Adobe PSIRT Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Adobe connector ingests Adobe PSIRT advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public advisories.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    adobe:
+      baseUri: "<adobe-psirt-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Upstream format changes or delayed bulletin updates.

docs/modules/concelier/operations/connectors/astra.md

@@ -0,0 +1,27 @@
+# Concelier Astra Linux Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Astra Linux connector ingests regional Astra advisories and maps them to Astra package versions.
+
+## 2. Authentication
+- No authentication required for public feeds unless a mirrored source enforces access controls.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    astra:
+      baseUri: "<astra-advisory-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror Astra advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Regional mirror availability.
+- Non-standard versioning metadata.

docs/modules/concelier/operations/connectors/cert-cc.md

@@ -0,0 +1,26 @@
+# Concelier CERT-CC Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The CERT-CC connector ingests CERT-CC vulnerability advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    cert-cc:
+      baseUri: "<cert-cc-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror CERT-CC feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Source throttling or feed schema changes.

docs/modules/concelier/operations/connectors/cert-fr.md

@@ -0,0 +1,26 @@
+# Concelier CERT-FR Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The CERT-FR connector ingests CERT-FR advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    cert-fr:
+      baseUri: "<cert-fr-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror CERT-FR feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Schema changes or feed outages.

docs/modules/concelier/operations/connectors/cert-in.md

@@ -0,0 +1,26 @@
+# Concelier CERT-In Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The CERT-In connector ingests CERT-In advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    cert-in:
+      baseUri: "<cert-in-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror CERT-In feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Feed format changes or intermittent availability.

docs/modules/concelier/operations/connectors/chromium.md

@@ -0,0 +1,26 @@
+# Concelier Chromium Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Chromium connector ingests Chromium security advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public advisories.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    chromium:
+      baseUri: "<chromium-advisory-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Feed cadence shifts during Chromium release trains.

docs/modules/concelier/operations/connectors/cve.md

@@ -0,0 +1,27 @@
+# Concelier CVE (MITRE) Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The CVE connector ingests MITRE CVE records to provide canonical IDs and record metadata.
+
+## 2. Authentication
+- No authentication required for public CVE feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    cve:
+      baseUri: "<cve-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror the CVE feed into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Upstream feed lag or pagination errors.
+- Schema validation errors on upstream record changes.

docs/modules/concelier/operations/connectors/debian.md

@@ -0,0 +1,27 @@
+# Concelier Debian Security Tracker Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Debian connector ingests Debian Security Tracker advisories and maps them to Debian package versions.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    debian:
+      baseUri: "<debian-tracker-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror tracker feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Format changes in tracker exports.
+- Missing release metadata for legacy suites.

docs/modules/concelier/operations/connectors/fstec-bdu.md

@@ -0,0 +1,27 @@
+# Concelier FSTEC BDU Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The FSTEC BDU connector ingests the Russian BDU vulnerability database and maps entries to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds unless a regional mirror enforces access controls.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    fstec-bdu:
+      baseUri: "<fstec-bdu-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror BDU data into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Regional mirror availability.
+- Non-standard identifier formats.

docs/modules/concelier/operations/connectors/jvn.md

@@ -0,0 +1,26 @@
+# Concelier JVN Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The JVN connector ingests Japan Vulnerability Notes (JVN) advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    jvn:
+      baseUri: "<jvn-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror JVN feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Feed format changes or upstream outages.

docs/modules/concelier/operations/connectors/kaspersky-ics.md

@@ -0,0 +1,26 @@
+# Concelier Kaspersky ICS-CERT Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Kaspersky ICS-CERT connector ingests ICS/SCADA advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public advisories unless a mirror enforces access controls.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    kaspersky-ics:
+      baseUri: "<kaspersky-ics-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Feed availability gaps for legacy advisories.

docs/modules/concelier/operations/connectors/nvd.md

@@ -0,0 +1,32 @@
+# Concelier NVD Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The NVD connector ingests CVE records and CVSS metadata from the NVD feed to enrich advisory observations.
+
+## 2. Authentication
+- Requires an API key configured in `concelier.yaml` under `sources.nvd.auth`.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    nvd:
+      baseUri: "<nvd-api-base>"
+      auth:
+        type: "api-key"
+        header: "apiKey"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror the NVD feed into the Offline Kit and repoint `baseUri` to the mirror.
+- Keep fetch ordering deterministic by maintaining stable paging settings.
+
+## 5. Common failure modes
+- Missing/invalid API key.
+- Upstream rate limits.
+- Schema validation errors on malformed payloads.

docs/modules/concelier/operations/connectors/oracle.md

@@ -0,0 +1,26 @@
+# Concelier Oracle CPU Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Oracle connector ingests Oracle Critical Patch Update advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public advisories.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    oracle:
+      baseUri: "<oracle-cpu-feed-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror CPU advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Schedule drift during quarterly CPU updates.

docs/modules/concelier/operations/connectors/reason-codes.md

@@ -0,0 +1,13 @@
+# Concelier Connector Reason Codes
+
+_Last updated: 2026-01-16_
+
+This reference lists deterministic reason codes emitted by `stella db connectors status|list|test` outputs.
+
+| Code | Category | Meaning | Remediation |
+| --- | --- | --- | --- |
+| CON_RATE_001 | degraded | Upstream rate limit or throttling detected. | Reduce fetch cadence, honor `Retry-After`, or request higher quotas. |
+| CON_UPSTREAM_002 | failed | Upstream service unreachable or returning persistent errors. | Check upstream availability, retry with backoff, or switch to mirror. |
+| CON_TIMEOUT_001 | failed | Connector test exceeded timeout window. | Increase `--timeout` or troubleshoot network latency. |
+| CON_UNKNOWN_001 | unknown | No status data reported for enabled connector. | Verify scheduler and connector logs. |
+| CON_DISABLED_001 | disabled | Connector is disabled in configuration. | Enable in concelier configuration if required. |

docs/modules/concelier/operations/connectors/redhat.md

@@ -0,0 +1,27 @@
+# Concelier Red Hat OVAL/CSAF Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Red Hat connector ingests Red Hat OVAL/CSAF advisories and maps them to RHEL package versions.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    redhat:
+      baseUri: "<redhat-csaf-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror the CSAF feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Upstream CSAF schema changes.
+- Missing mappings for EUS or archived releases.

docs/modules/concelier/operations/connectors/suse.md

@@ -0,0 +1,27 @@
+# Concelier SUSE OVAL/CSAF Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The SUSE connector ingests SUSE OVAL/CSAF advisories and maps them to SUSE package versions.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    suse:
+      baseUri: "<suse-csaf-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror the CSAF feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Upstream CSAF schema changes.
+- Missing mappings for legacy maintenance releases.

docs/modules/concelier/operations/connectors/ubuntu.md

@@ -0,0 +1,26 @@
+# Concelier Ubuntu USN Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The Ubuntu connector ingests Ubuntu Security Notices (USN) and maps advisories to Ubuntu package versions.
+
+## 2. Authentication
+- No authentication required for public feeds.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    ubuntu:
+      baseUri: "<ubuntu-usn-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror USN feeds into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- USN schema updates or missing release references.

docs/modules/concelier/operations/connectors/vmware.md

@@ -0,0 +1,26 @@
+# Concelier VMware Connector - Operations Runbook
+
+_Last updated: 2026-01-16_
+
+## 1. Overview
+The VMware connector ingests VMware security advisories and maps them to canonical IDs.
+
+## 2. Authentication
+- No authentication required for public advisories.
+
+## 3. Configuration (`concelier.yaml`)
+```yaml
+concelier:
+  sources:
+    vmware:
+      baseUri: "<vmware-advisory-base>"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+```
+
+## 4. Offline and air-gapped deployments
+- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
+
+## 5. Common failure modes
+- Upstream format changes.