docs consolidation

docs/modules/concelier/operations/authority-audit-runbook.md

@@ -120,15 +120,18 @@ Correlate audit logs with the following global meter exported via `Concelier.Sou
 
 ## 4. Rollout & Verification Procedure
 
-1. **Pre-checks**
-   - Align with the rollout phases documented in `docs/10_CONCELIER_CLI_QUICKSTART.md` (validation → rehearsal → enforced) and record the target dates in your change request.
-   - Confirm `allowAnonymousFallback` is `false` in production; keep `true` only during staged validation.
-   - Validate Authority issuer metadata is reachable from Concelier (`curl https://authority.internal/.well-known/openid-configuration` from the host).
-
-2. **Smoke test with valid token**
-   - Obtain a token via CLI: `stella auth login --scope "concelier.jobs.trigger advisory:ingest" --scope advisory:read`.
-   - Trigger a read-only endpoint: `curl -H "Authorization: Bearer $TOKEN" https://concelier.internal/jobs/definitions`.
-   - Expect HTTP 200/202 and an audit log with `bypass=False`, `scopes=concelier.jobs.trigger advisory:ingest advisory:read`, and `tenant=tenant-default`.
+1. **Pre-checks**
+   - Align with your rollout plan and record the target dates in your change request.
+   - Confirm `allowAnonymousFallback` is `false` in production; keep `true` only during staged validation.
+   - Validate Authority issuer metadata is reachable from Concelier (`curl https://authority.internal/.well-known/openid-configuration` from the host).
+
+2. **Smoke test with valid token**
+   - Authenticate (cached): `stella auth login`.
+   - Mint a scoped token for curl (example):
+     - `TOKEN="$(stella auth token mint --service-account concelier-jobs --scope concelier.jobs.trigger --scope advisory:ingest --scope advisory:read --tenant tenant-default --reason \"concelier auth smoke test\" --raw)"`
+   - Trigger a read-only endpoint:
+     - `curl -H "Authorization: Bearer $TOKEN" -H "X-Stella-Tenant: tenant-default" https://concelier.internal/jobs/definitions`
+   - Expect HTTP 200/202 and an audit log with `bypass=False`, `scopes=concelier.jobs.trigger advisory:ingest advisory:read`, and `tenant=tenant-default`.
 
 3. **Negative test without token**
    - Call the same endpoint without a token. Expect HTTP 401, `bypass=False`.
@@ -153,7 +156,7 @@ Correlate audit logs with the following global meter exported via `Concelier.Sou
 
 ## 6. References
 
-- `docs/21_INSTALL_GUIDE.md` – Authority configuration quick start.
-- `docs/17_SECURITY_HARDENING_GUIDE.md` – Security guardrails and enforcement deadlines.
-- `docs/modules/authority/operations/monitoring.md` – Authority-side monitoring and alerting playbook.
-- `StellaOps.Concelier.WebService/Filters/JobAuthorizationAuditFilter.cs` – source of audit log fields.
+- `docs/21_INSTALL_GUIDE.md` - Authority configuration quick start.
+- `docs/17_SECURITY_HARDENING_GUIDE.md` - Security guardrails and enforcement.
+- `docs/modules/authority/operations/monitoring.md` - Authority-side monitoring and alerting playbook.
+- `src/Concelier/StellaOps.Concelier.WebService/Filters/JobAuthorizationAuditFilter.cs` - Source of audit log fields.

docs/modules/concelier/operations/conflict-resolution.md

@@ -45,7 +45,7 @@ Expect all logs at `Information`. Ensure OTEL exporters include the scope `Stell
    - `eventId=1002` with `reason="equal_rank"` - indicates precedence table gaps; page merge owners.
    - `eventId=1002` with `reason="mismatch"` - severity disagreement; open connector bug if sustained.
 3. **Job health**
-   - `stellaops-cli db merge` exit code `1` signifies unresolved conflicts. Pipe to automation that captures logs and notifies #concelier-ops.
+   - `stella db merge` exit code `1` signifies unresolved conflicts. Pipe to automation that captures logs and notifies #concelier-ops.
 
 ### Threshold updates (2025-10-12)
 
@@ -58,7 +58,7 @@ Expect all logs at `Information`. Ensure OTEL exporters include the scope `Stell
 ## 4. Triage Workflow
 
 1. **Confirm job context**
-   - `stellaops-cli db merge` (CLI) or `POST /jobs/merge:reconcile` (API) to rehydrate the merge job. Use `--verbose` to stream structured logs during triage.
+   - `stella db merge` (CLI) or `POST /jobs/merge:reconcile` (API) to rehydrate the merge job. Use `--verbose` to stream structured logs during triage.
 2. **Inspect metrics**
    - Correlate spikes in `concelier.merge.conflicts` with `primary_source`/`suppressed_source` tags from `concelier.merge.overrides`.
 3. **Pull structured logs**
@@ -94,7 +94,7 @@ Expect all logs at `Information`. Ensure OTEL exporters include the scope `Stell
 ## 6. Resolution Playbook
 
 1. **Connector data fix**
-   - Re-run the offending connector stages (`stellaops-cli db fetch --source ghsa --stage map` etc.).
+   - Re-run the offending connector stages (`stella db fetch --source ghsa --stage map` etc.).
    - Once fixed, rerun merge and verify `decisionReason` reflects `freshness` or `precedence` as expected.
 2. **Temporary precedence override**
    - Edit `etc/concelier.yaml`:

docs/modules/concelier/operations/connectors/apple.md

@@ -25,13 +25,13 @@ concelier:
 
 ## 2. Staging Smoke Test
 
-1. Deploy the configuration and restart the Concelier workers to ensure the Apple connector options are bound.
-2. Trigger a full connector cycle:
-   - CLI: `stella db jobs run source:vndr-apple:fetch --and-then source:vndr-apple:parse --and-then source:vndr-apple:map`
-   - REST: `POST /jobs/run { "kind": "source:vndr-apple:fetch", "chain": ["source:vndr-apple:parse", "source:vndr-apple:map"] }`
-3. Validate metrics exported under meter `StellaOps.Concelier.Connector.Vndr.Apple`:
-   - `apple.fetch.items` (documents fetched)
-   - `apple.fetch.failures`
+1. Deploy the configuration and restart the Concelier workers to ensure the Apple connector options are bound.
+2. Trigger a full connector cycle:
+   - CLI: run `stella db fetch --source vndr-apple --stage fetch`, then `--stage parse`, then `--stage map`.
+   - REST: `POST /jobs/run { "kind": "source:vndr-apple:fetch", "chain": ["source:vndr-apple:parse", "source:vndr-apple:map"] }`
+3. Validate metrics exported under meter `StellaOps.Concelier.Connector.Vndr.Apple`:
+   - `apple.fetch.items` (documents fetched)
+   - `apple.fetch.failures`
    - `apple.fetch.unchanged`
    - `apple.parse.failures`
    - `apple.map.affected.count` (histogram of affected package counts)

docs/modules/concelier/operations/connectors/cccs.md

@@ -53,7 +53,7 @@ Suggested Grafana alerts:
 2. **Stage ingestion**:
    - Temporarily raise `maxEntriesPerFetch` (e.g. 500) and restart Concelier workers.
    - Run chained jobs until `pendingDocuments` drains:  
-     `stella db jobs run source:cccs:fetch --and-then source:cccs:parse --and-then source:cccs:map`
+     Run `stella db fetch --source cccs --stage fetch`, then `--stage parse`, then `--stage map`.
    - Monitor `cccs.fetch.unchanged` growth; once it approaches dataset size the backfill is complete.
 3. **Optional pagination sweep** – for incremental mirrors, iterate `page=<n>` (0…N) while `response.Count == 50`, persisting JSON to disk. Store alongside metadata (`language`, `page`, SHA256) so repeated runs detect drift.
 4. **Language split** – keep EN/FR payloads separate to preserve canonical language fields. The connector emits `Language` directly from the feed entry, so mixed ingestion simply produces parallel advisories keyed by the same serial number.

docs/modules/concelier/operations/connectors/certbund.md

@@ -124,7 +124,7 @@ operating offline.
 ### 3.4 Connector-driven catch-up
 
 1. Temporarily raise `maxAdvisoriesPerFetch` (e.g. 150) and reduce `requestDelay`.
-2. Run `stella db jobs run source:cert-bund:fetch --and-then source:cert-bund:parse --and-then source:cert-bund:map` until the fetch log reports `enqueued=0`.
+2. Run `stella db fetch --source cert-bund --stage fetch`, then `--stage parse`, then `--stage map` until the fetch log reports `enqueued=0`.
 3. Restore defaults and capture the cursor snapshot for audit.
 
 ---

docs/modules/concelier/operations/connectors/cisco.md

@@ -33,7 +33,7 @@ This runbook describes how Ops provisions, rotates, and distributes Cisco PSIRT
    - Update `concelier:sources:cisco:auth` (or the module-specific secret template) with the stored credentials.
    - For Offline Kit delivery, export encrypted secrets into `offline-kit/secrets/cisco-openvuln.json` using the platform’s sealed secret format.
 4. **Connectivity validation**
-   - From the Concelier control plane, run `stella db jobs run source:vndr-cisco:fetch --dry-run`.
+   - From the Concelier control plane, run `stella db fetch --source vndr-cisco --stage fetch` (use staging or a controlled window).
    - Ensure the Source HTTP diagnostics record `Bearer` authorization headers and no 401/403 responses.
 
 ## 4. Rotation SOP

docs/modules/concelier/operations/connectors/cve-kev.md

@@ -34,7 +34,7 @@ concelier:
 
 1. Deploy the updated configuration and restart the Concelier service so the connector picks up the credentials.
 2. Trigger one end-to-end cycle:
-   - Concelier CLI: `stella db jobs run source:cve:fetch --and-then source:cve:parse --and-then source:cve:map`
+   - Concelier CLI: run `stella db fetch --source cve --stage fetch`, then `--stage parse`, then `--stage map`.
    - REST fallback: `POST /jobs/run { "kind": "source:cve:fetch", "chain": ["source:cve:parse", "source:cve:map"] }`
 3. Observe the following metrics (exported via OTEL meter `StellaOps.Concelier.Connector.Cve`):
    - `cve.fetch.attempts`, `cve.fetch.success`, `cve.fetch.documents`, `cve.fetch.failures`, `cve.fetch.unchanged`
@@ -107,7 +107,7 @@ Treat repeated schema failures or growing anomaly counts as an upstream regressi
 
 1. Deploy the configuration and restart Concelier.
 2. Trigger a pipeline run:
-   - CLI: `stella db jobs run source:kev:fetch --and-then source:kev:parse --and-then source:kev:map`
+   - CLI: run `stella db fetch --source kev --stage fetch`, then `--stage parse`, then `--stage map`.
    - REST: `POST /jobs/run { "kind": "source:kev:fetch", "chain": ["source:kev:parse", "source:kev:map"] }`
 3. Verify the metrics exposed by meter `StellaOps.Concelier.Connector.Kev`:
    - `kev.fetch.attempts`, `kev.fetch.success`, `kev.fetch.unchanged`, `kev.fetch.failures`

docs/modules/concelier/operations/connectors/epss.md

@@ -24,7 +24,7 @@ concelier:
 
 1. Restart Concelier workers after configuration changes.
 2. Trigger a full cycle:
-   - CLI: `stella db jobs run source:epss:fetch --and-then source:epss:parse --and-then source:epss:map`
+   - CLI: run `stella db fetch --source epss --stage fetch`, then `--stage parse`, then `--stage map`.
    - REST: `POST /jobs/run { "kind": "source:epss:fetch", "chain": ["source:epss:parse", "source:epss:map"] }`
 3. Verify document status transitions: `pending_parse` -> `pending_map` -> `mapped`.
 4. Confirm log entries for `Fetched EPSS snapshot` and parse/map summaries.

docs/modules/concelier/operations/connectors/ics-cisa.md

@@ -79,7 +79,7 @@ If credentials are still pending, populate the connector with the community CSV
    ```bash
    CONCELIER_SOURCES_ICSCISA_GOVDELIVERY_CODE=... \ 
    CONCELIER_SOURCES_ICSCISA_ENABLEDETAILSCRAPE=1 \ 
-   stella db jobs run source:ics-cisa:fetch --and-then source:ics-cisa:parse --and-then source:ics-cisa:map
+   Run `stella db fetch --source ics-cisa --stage fetch`, then `--stage parse`, then `--stage map`.
    ```
 3. Confirm logs contain `ics-cisa detail fetch` entries and that new documents/DTOs include attachments (see `docs/artifacts/icscisa`). Canonical advisories should expose PDF links as `references.kind == "attachment"` and affected packages should surface `primitives.semVer.exactValue` for single-version hits.
 4. If Akamai blocks direct fetches, set `concelier:sources:icscisa:proxyUri` to your allow-listed egress proxy and rerun the dry-run.

docs/modules/concelier/operations/connectors/kisa.md

@@ -25,7 +25,7 @@ concelier:
 
 1. Restart the Concelier workers so the KISA options bind.
 2. Run a full connector cycle:
-   - CLI: `stella db jobs run source:kisa:fetch --and-then source:kisa:parse --and-then source:kisa:map`
+   - CLI: run `stella db fetch --source kisa --stage fetch`, then `--stage parse`, then `--stage map`.
    - REST: `POST /jobs/run { "kind": "source:kisa:fetch", "chain": ["source:kisa:parse", "source:kisa:map"] }`
 3. Confirm telemetry (Meter `StellaOps.Concelier.Connector.Kisa`):
    - `kisa.feed.success`, `kisa.feed.items`