docs consolidation

docs/modules/concelier/operations/connectors/apple.md

@@ -25,13 +25,13 @@ concelier:
 
 ## 2. Staging Smoke Test
 
-1. Deploy the configuration and restart the Concelier workers to ensure the Apple connector options are bound.
-2. Trigger a full connector cycle:
-   - CLI: `stella db jobs run source:vndr-apple:fetch --and-then source:vndr-apple:parse --and-then source:vndr-apple:map`
-   - REST: `POST /jobs/run { "kind": "source:vndr-apple:fetch", "chain": ["source:vndr-apple:parse", "source:vndr-apple:map"] }`
-3. Validate metrics exported under meter `StellaOps.Concelier.Connector.Vndr.Apple`:
-   - `apple.fetch.items` (documents fetched)
-   - `apple.fetch.failures`
+1. Deploy the configuration and restart the Concelier workers to ensure the Apple connector options are bound.
+2. Trigger a full connector cycle:
+   - CLI: run `stella db fetch --source vndr-apple --stage fetch`, then `--stage parse`, then `--stage map`.
+   - REST: `POST /jobs/run { "kind": "source:vndr-apple:fetch", "chain": ["source:vndr-apple:parse", "source:vndr-apple:map"] }`
+3. Validate metrics exported under meter `StellaOps.Concelier.Connector.Vndr.Apple`:
+   - `apple.fetch.items` (documents fetched)
+   - `apple.fetch.failures`
    - `apple.fetch.unchanged`
    - `apple.parse.failures`
    - `apple.map.affected.count` (histogram of affected package counts)

docs/modules/concelier/operations/connectors/cccs.md

@@ -53,7 +53,7 @@ Suggested Grafana alerts:
 2. **Stage ingestion**:
    - Temporarily raise `maxEntriesPerFetch` (e.g. 500) and restart Concelier workers.
    - Run chained jobs until `pendingDocuments` drains:  
-     `stella db jobs run source:cccs:fetch --and-then source:cccs:parse --and-then source:cccs:map`
+     Run `stella db fetch --source cccs --stage fetch`, then `--stage parse`, then `--stage map`.
    - Monitor `cccs.fetch.unchanged` growth; once it approaches dataset size the backfill is complete.
 3. **Optional pagination sweep** – for incremental mirrors, iterate `page=<n>` (0…N) while `response.Count == 50`, persisting JSON to disk. Store alongside metadata (`language`, `page`, SHA256) so repeated runs detect drift.
 4. **Language split** – keep EN/FR payloads separate to preserve canonical language fields. The connector emits `Language` directly from the feed entry, so mixed ingestion simply produces parallel advisories keyed by the same serial number.

docs/modules/concelier/operations/connectors/certbund.md

@@ -124,7 +124,7 @@ operating offline.
 ### 3.4 Connector-driven catch-up
 
 1. Temporarily raise `maxAdvisoriesPerFetch` (e.g. 150) and reduce `requestDelay`.
-2. Run `stella db jobs run source:cert-bund:fetch --and-then source:cert-bund:parse --and-then source:cert-bund:map` until the fetch log reports `enqueued=0`.
+2. Run `stella db fetch --source cert-bund --stage fetch`, then `--stage parse`, then `--stage map` until the fetch log reports `enqueued=0`.
 3. Restore defaults and capture the cursor snapshot for audit.
 
 ---

docs/modules/concelier/operations/connectors/cisco.md

@@ -33,7 +33,7 @@ This runbook describes how Ops provisions, rotates, and distributes Cisco PSIRT
    - Update `concelier:sources:cisco:auth` (or the module-specific secret template) with the stored credentials.
    - For Offline Kit delivery, export encrypted secrets into `offline-kit/secrets/cisco-openvuln.json` using the platform’s sealed secret format.
 4. **Connectivity validation**
-   - From the Concelier control plane, run `stella db jobs run source:vndr-cisco:fetch --dry-run`.
+   - From the Concelier control plane, run `stella db fetch --source vndr-cisco --stage fetch` (use staging or a controlled window).
    - Ensure the Source HTTP diagnostics record `Bearer` authorization headers and no 401/403 responses.
 
 ## 4. Rotation SOP

docs/modules/concelier/operations/connectors/cve-kev.md

@@ -34,7 +34,7 @@ concelier:
 
 1. Deploy the updated configuration and restart the Concelier service so the connector picks up the credentials.
 2. Trigger one end-to-end cycle:
-   - Concelier CLI: `stella db jobs run source:cve:fetch --and-then source:cve:parse --and-then source:cve:map`
+   - Concelier CLI: run `stella db fetch --source cve --stage fetch`, then `--stage parse`, then `--stage map`.
    - REST fallback: `POST /jobs/run { "kind": "source:cve:fetch", "chain": ["source:cve:parse", "source:cve:map"] }`
 3. Observe the following metrics (exported via OTEL meter `StellaOps.Concelier.Connector.Cve`):
    - `cve.fetch.attempts`, `cve.fetch.success`, `cve.fetch.documents`, `cve.fetch.failures`, `cve.fetch.unchanged`
@@ -107,7 +107,7 @@ Treat repeated schema failures or growing anomaly counts as an upstream regressi
 
 1. Deploy the configuration and restart Concelier.
 2. Trigger a pipeline run:
-   - CLI: `stella db jobs run source:kev:fetch --and-then source:kev:parse --and-then source:kev:map`
+   - CLI: run `stella db fetch --source kev --stage fetch`, then `--stage parse`, then `--stage map`.
    - REST: `POST /jobs/run { "kind": "source:kev:fetch", "chain": ["source:kev:parse", "source:kev:map"] }`
 3. Verify the metrics exposed by meter `StellaOps.Concelier.Connector.Kev`:
    - `kev.fetch.attempts`, `kev.fetch.success`, `kev.fetch.unchanged`, `kev.fetch.failures`

docs/modules/concelier/operations/connectors/epss.md

@@ -24,7 +24,7 @@ concelier:
 
 1. Restart Concelier workers after configuration changes.
 2. Trigger a full cycle:
-   - CLI: `stella db jobs run source:epss:fetch --and-then source:epss:parse --and-then source:epss:map`
+   - CLI: run `stella db fetch --source epss --stage fetch`, then `--stage parse`, then `--stage map`.
    - REST: `POST /jobs/run { "kind": "source:epss:fetch", "chain": ["source:epss:parse", "source:epss:map"] }`
 3. Verify document status transitions: `pending_parse` -> `pending_map` -> `mapped`.
 4. Confirm log entries for `Fetched EPSS snapshot` and parse/map summaries.

docs/modules/concelier/operations/connectors/ics-cisa.md

@@ -79,7 +79,7 @@ If credentials are still pending, populate the connector with the community CSV
    ```bash
    CONCELIER_SOURCES_ICSCISA_GOVDELIVERY_CODE=... \ 
    CONCELIER_SOURCES_ICSCISA_ENABLEDETAILSCRAPE=1 \ 
-   stella db jobs run source:ics-cisa:fetch --and-then source:ics-cisa:parse --and-then source:ics-cisa:map
+   Run `stella db fetch --source ics-cisa --stage fetch`, then `--stage parse`, then `--stage map`.
    ```
 3. Confirm logs contain `ics-cisa detail fetch` entries and that new documents/DTOs include attachments (see `docs/artifacts/icscisa`). Canonical advisories should expose PDF links as `references.kind == "attachment"` and affected packages should surface `primitives.semVer.exactValue` for single-version hits.
 4. If Akamai blocks direct fetches, set `concelier:sources:icscisa:proxyUri` to your allow-listed egress proxy and rerun the dry-run.

docs/modules/concelier/operations/connectors/kisa.md

@@ -25,7 +25,7 @@ concelier:
 
 1. Restart the Concelier workers so the KISA options bind.
 2. Run a full connector cycle:
-   - CLI: `stella db jobs run source:kisa:fetch --and-then source:kisa:parse --and-then source:kisa:map`
+   - CLI: run `stella db fetch --source kisa --stage fetch`, then `--stage parse`, then `--stage map`.
    - REST: `POST /jobs/run { "kind": "source:kisa:fetch", "chain": ["source:kisa:parse", "source:kisa:map"] }`
 3. Confirm telemetry (Meter `StellaOps.Concelier.Connector.Kisa`):
    - `kisa.feed.success`, `kisa.feed.items`