chore(docs+devops): cross-module doc sync + sprint archival moves + compose updates

Bundled pre-session doc + ops work: - docs/modules/**: sync across advisory-ai, airgap, cli, excititor, export-center, findings-ledger, notifier, notify, platform, router, sbom-service, ui, web (architectural + operational updates) - docs/features/**: updates to checked excititor vex pipeline, developer workspace, quick verify drawer - docs top-level: README, quickstart, API_CLI_REFERENCE, UI_GUIDE, code-of-conduct/TESTING_PRACTICES updates - docs/qa/feature-checks/: FLOW.md + excititor state update - docs/implplan/: remaining sprint updates + new Concelier source credentials sprint (SPRINT_20260422_003) - docs-archived/implplan/: 30 sprint archival moves (ElkSharp series, misc completed sprints) - devops/compose: .env + services compose + env example + router gateway config updates File-level granularity preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 16:06:39 +03:00
parent ad77711ac2
commit 7943cfb3af
121 changed files with 10483 additions and 387 deletions
--- a/docs/modules/cli/guides/airgap.md
+++ b/docs/modules/cli/guides/airgap.md
@@ -32,6 +32,7 @@ Offline/air-gapped usage patterns for the Stella CLI.
  ```bash
  stella airgap import --bundle /mnt/media/mirror.tar --generation 12
  ```
+  Imported mirror-bundle metadata is written durably under `%LocalApplicationData%/stellaops/offline-kit/state/mirror-bundles`, so the import history survives fresh CLI processes instead of relying on process-local memory.
 - Check sealed mode status
  ```bash
  stella airgap status
@@ -45,6 +46,7 @@ Offline/air-gapped usage patterns for the Stella CLI.
 - Commands must succeed without egress; any outbound attempt is a bug—report with logs.
 - Hashes and signatures are verified locally using bundled trust roots; no OCSP/CRL.
 - Outputs are stable JSON/NDJSON; timestamps use UTC.
+- Mirror-bundle import metadata is persisted locally with deterministic ordinal ordering for content paths and bundle items.

 ## Exit codes
 - `0` success
--- a/docs/modules/cli/guides/commands/db.md
+++ b/docs/modules/cli/guides/commands/db.md
@@ -1,11 +1,60 @@
 # stella db - Command Guide

-The `stella db` command group triggers Concelier database operations via backend jobs (connector stages, merge reconciliation, exports).
+The `stella db` command group triggers Concelier database operations via backend jobs and advisory-source management APIs.

 These commands are operational: they typically require Authority authentication and appropriate Concelier scopes.

 ## Commands

+### db connectors configure
+
+Inspect or update persisted advisory source configuration.
+
+```bash
+stella db connectors configure ghsa --server https://concelier.example.internal
+
+stella db connectors configure ghsa \
+  --server https://concelier.example.internal \
+  --set apiToken=github_pat_xxx
+
+stella db connectors configure cisco \
+  --server https://concelier.example.internal \
+  --set clientId=... \
+  --set clientSecret=...
+
+stella db connectors configure microsoft \
+  --server https://concelier.example.internal \
+  --set tenantId=... \
+  --set clientId=... \
+  --set clientSecret=...
+
+stella db connectors configure oracle \
+  --server https://concelier.example.internal \
+  --set calendarUris=https://www.oracle.com/security-alerts/,https://mirror.example.internal/oracle/
+
+stella db connectors configure adobe \
+  --server https://concelier.example.internal \
+  --set indexUri=https://mirror.example.internal/adobe/security-bulletin.html
+
+stella db connectors configure chromium \
+  --server https://concelier.example.internal \
+  --set feedUri=https://mirror.example.internal/chromium/atom.xml
+```
+
+Options:
+
+- `--set key=value`: set a field value. Repeat for multiple fields.
+- `--clear <field>`: clear a stored field. Repeat for multiple fields.
+- `--server`: Concelier API base URL.
+- `--tenant`, `-t`: tenant override.
+- `--format`, `-f`: `text` or `json`.
+
+Notes:
+
+- Sensitive fields are returned as retained or not-set markers, not plaintext values.
+- Multi-value URI fields accept comma-, semicolon-, or newline-separated absolute URIs.
+- The current CLI path sends literal values on the command line. Use the Web UI path if command-history exposure is unacceptable for a secret.
+
 ### db fetch

 Trigger a connector stage (`fetch`, `parse`, or `map`) for a given source.
@@ -17,9 +66,10 @@ stella db fetch --source osv --stage map
 ```

 Options:
- `--source` (required): connector identifier (for example `osv`, `redhat`, `ghsa`).
- `--stage` (optional): `fetch`, `parse`, or `map` (defaults to `fetch`).
- `--mode` (optional): connector-specific mode (for example `init`, `resume`, `cursor`).
+
+- `--source` (required): connector identifier such as `osv`, `redhat`, `ghsa`, or `cisco`
+- `--stage` (optional): `fetch`, `parse`, or `map` (defaults to `fetch`)
+- `--mode` (optional): connector-specific mode such as `init`, `resume`, or `cursor`

 ### db merge

@@ -39,22 +89,24 @@ stella db export --format trivy-db --delta
 ```

 Options:
- `--format` (optional): `json` or `trivy-db` (defaults to `json`).
- `--delta` (optional): request a delta export when supported.
- `--publish-full` / `--publish-delta` (optional): override whether exports are published (true/false).
- `--bundle-full` / `--bundle-delta` (optional): override whether offline bundles include full/delta exports (true/false).
+
+- `--format` (optional): `json` or `trivy-db`
+- `--delta` (optional): request a delta export when supported
+- `--publish-full` or `--publish-delta` (optional): override publish behavior
+- `--bundle-full` or `--bundle-delta` (optional): override offline bundle behavior

 ## Common setup

 Point the CLI at the Concelier base URL:
+
 ```bash
 export STELLAOPS_BACKEND_URL="https://concelier.example.internal"
 ```

 Authenticate:
+
 ```bash
 stella auth login
 ```

-See: `docs/CONCELIER_CLI_QUICKSTART.md` and `docs/modules/concelier/operations/authority-audit-runbook.md`.
-
+See `docs/CONCELIER_CLI_QUICKSTART.md` and `docs/modules/concelier/operations/authority-audit-runbook.md`.
--- a/docs/modules/cli/guides/crypto/crypto-commands.md
+++ b/docs/modules/cli/guides/crypto/crypto-commands.md
@@ -8,6 +8,8 @@

 The `stella crypto` command group provides cryptographic operations with regional compliance support. The available crypto providers depend on your distribution build.

+`stella crypto sign` resolves a real signing key from the configured provider set and emits an actual `dsse`, detached `jws`, or `raw` signature. `stella crypto verify` performs real verification either against provider-managed key material or a supplied trust policy.
+
 ## Distribution Matrix

 | Distribution | Build Flag | Crypto Standards | Providers |
@@ -23,6 +25,8 @@ The `stella crypto` command group provides cryptographic operations with regiona

 Sign artifacts using configured crypto provider.

+The CLI selects a provider-exposed signing key at runtime. When multiple provider keys are available, use `--provider` and `--key-id` to make the selection explicit.
+
 **Usage:**
 ```bash
 stella crypto sign --input <file> [options]
@@ -32,9 +36,9 @@ stella crypto sign --input <file> [options]
 - `--input <path>` - Path to file to sign (required)
 - `--output <path>` - Output path for signature (default: `<input>.sig`)
 - `--provider <name>` - Override crypto provider (e.g., `gost-cryptopro`, `eidas-tsp`, `sm-remote`)
- `--key-id <id>` - Key identifier for signing
+- `--key-id <id>` - Key identifier for signing when multiple provider keys are exposed
 - `--format <format>` - Signature format: `dsse`, `jws`, `raw` (default: `dsse`)
- `--detached` - Create detached signature (default: true)
+- `--detached` - Create detached signature (default: true; `jws` output is detached only)
 - `--verbose` - Show detailed output

 **Examples:**
@@ -54,6 +58,11 @@ stella crypto sign --input contract.pdf --provider eidas-tsp --format jws

 Verify signatures using configured crypto provider.

+Verification behavior depends on the signature material:
+- `dsse` and detached `jws` can carry key identity metadata, so the CLI can usually resolve the provider key directly.
+- `raw` signatures carry no metadata, so `--provider`, `--key-id`, or `--trust-policy` are typically required.
+- `--trust-policy` verifies against exported public keys and does not require provider access to private key material.
+
 **Usage:**
 ```bash
 stella crypto verify --input <file> [options]
@@ -63,6 +72,7 @@ stella crypto verify --input <file> [options]
 - `--input <path>` - Path to file to verify (required)
 - `--signature <path>` - Path to signature file (default: `<input>.sig`)
 - `--provider <name>` - Override crypto provider
+- `--key-id <id>` - Key identifier used during verification when provider or trust-policy resolution is ambiguous
 - `--trust-policy <path>` - Path to trust policy YAML file
 - `--format <format>` - Signature format: `dsse`, `jws`, `raw` (auto-detect if omitted)
 - `--verbose` - Show detailed output
@@ -77,7 +87,10 @@ stella crypto verify --input artifact.tar.gz
 stella crypto verify --input artifact.tar.gz --trust-policy ./policies/production-trust.yaml

 # Verify specific provider signature
-stella crypto verify --input contract.pdf --provider eidas-tsp --signature contract.jws
+stella crypto verify --input contract.pdf --provider eidas-tsp --key-id prod-signing-2025 --signature contract.jws
+
+# Verify a raw signature with explicit provider key selection
+stella crypto verify --input artifact.tar.gz --signature artifact.tar.gz.sig --format raw --provider default --key-id prod-signing-2025
 ```

 ### `stella crypto profiles`