Rename Vexer to Excititor

2025-10-18 20:00:46 +03:00
parent e2672ba968
commit dd66f58b00
263 changed files with 848 additions and 848 deletions
--- a/docs/07_HIGH_LEVEL_ARCHITECTURE.md
+++ b/docs/07_HIGH_LEVEL_ARCHITECTURE.md
@@ -37,7 +37,7 @@ It **absorbs** all content from `components.md` so you have a single, authoritat
 | **Scanner.Sbomer.BuildXPlugin** | `stellaops/sbom-indexer`   | BuildKit **generator** for build‑time SBOMs as OCI **referrers**.                                                                           | CI‑side; ephemeral.                                |
 | **Scanner.Sbomer.DockerImage**  | `stellaops/scanner-cli`    | CLI‑orchestrated scanner container for post‑build scans.                                                                                    | Local/CI; ephemeral.                               |
 | **Feedser.WebService**          | `stellaops/feedser-web`    | Vulnerability ingest/normalize/merge/export (JSON + Trivy DB).                                                                              | HA via Mongo locks.                                |
-| **Vexer.WebService**            | `stellaops/vexer-web`      | VEX ingest/normalize/consensus; conflict retention; exports.                                                                                | HA via Mongo locks.                                |
+| **Excititor.WebService**            | `stellaops/excititor-web`      | VEX ingest/normalize/consensus; conflict retention; exports.                                                                                | HA via Mongo locks.                                |
 | **Policy Engine**               | (in `scanner-web`)         | YAML DSL evaluator (waivers, vendor preferences, KEV/EPSS, license, usage‑gating); produces **policy digest**.                              | In‑process; cache per digest.                      |
 | **Signer**                      | `stellaops/signer`         | **Hard gate:** validates entitlement + release integrity; mints signing cert (Fulcio keyless) or uses KMS; signs DSSE.                      | Stateless; HPA by QPS.                             |
 | **Attestor**                    | `stellaops/attestor`       | Posts DSSE bundles to **Rekor v2**; verification endpoints.                                                                                 | Stateless; HPA by QPS.                             |
@@ -72,7 +72,7 @@ flowchart LR
    SW[Scanner.WebService]
    WK[Scanner.Worker xN]
    FEED[Feedser]
-    VEX[Vexer]
+    VEX[Excititor]
    POL[Policy Engine (in Scanner.Web)]
    SGN[Signer\n(entitlement + signing)]
    ATT[Attestor\n(Rekor v2 submit/verify)]
@@ -182,7 +182,7 @@ LS --> IA: PoE (mTLS client cert or JWT with cnf=K_inst), CRL/OCSP/introspect
 * Ingests vendor, distro, OSS feeds; normalizes & merges; persists canonical advisories in Mongo; exports **deterministic JSON** and **Trivy DB**.
 * Offline kit bundles for air‑gapped sites.

-### 4.2 Vexer (VEX)
+### 4.2 Excititor (VEX)

 * Ingests **OpenVEX / CSAF VEX / CycloneDX VEX**; normalizes claims; retains conflicts; computes **consensus** with provider trust weights and justification gates.

@@ -195,7 +195,7 @@ LS --> IA: PoE (mTLS client cert or JWT with cnf=K_inst), CRL/OCSP/introspect
 ### 4.4 PASS/FAIL flow

 1. SBOM (Inventory / Usage) → join with **Feedser** advisories.
-2. Apply **Vexer** consensus (statuses & justifications).
+2. Apply **Excititor** consensus (statuses & justifications).
 3. Apply **Policy**; compute PASS/FAIL with waiver TTLs.
 4. Sign the **final report** (DSSE via **Signer**) and log to **Rekor v2** via **Attestor**.

@@ -350,8 +350,8 @@ services:
    deploy: { replicas: 4 }
    depends_on: [scanner-web]
  feedser:    { image: stellaops/feedser-web, depends_on: [mongo] }
-  vexer:      { image: stellaops/vexer-web, depends_on: [mongo] }
-  ui:         { image: stellaops/ui, depends_on: [scanner-web, feedser, vexer] }
+  excititor:      { image: stellaops/excititor-web, depends_on: [mongo] }
+  ui:         { image: stellaops/ui, depends_on: [scanner-web, feedser, excititor] }
 ```

 * **Backups:** Mongo dumps; MinIO versioned buckets & replication; Rekor v2 DB snapshots; JWKS/Fulcio/KMS key rotation.
@@ -373,7 +373,7 @@ services:
 * M2: Buildx generator certified flows; cross‑registry trust policies.
 * M3: Patch‑Presence plugin (signature‑based backport detection), opt‑in.
 * M3: Zastava Admission control GA with policy presets and dry‑run→enforce stages.
-* Continuous: Policy UX (waiver TTLs, vendor rules), Vexer connectors expansion.
+* Continuous: Policy UX (waiver TTLs, vendor rules), Excititor connectors expansion.

 ---

--- a/docs/ARCHITECTURE_ATTESTOR.md
+++ b/docs/ARCHITECTURE_ATTESTOR.md
@@ -1,6 +1,6 @@
 # component_architecture_attestor.md — **Stella Ops Attestor** (2025Q4)

-> **Scope.** Implementation‑ready architecture for the **Attestor**: the service that **submits** DSSE envelopes to **Rekor v2**, retrieves/validates inclusion proofs, caches results, and exposes verification APIs. It accepts DSSE **only** from the **Signer** over mTLS, enforces chain‑of‑trust to Stella Ops roots, and returns `{uuid, index, proof, logURL}` to calling services (Scanner.WebService for SBOMs; backend for final reports; Vexer exports when configured).
+> **Scope.** Implementation‑ready architecture for the **Attestor**: the service that **submits** DSSE envelopes to **Rekor v2**, retrieves/validates inclusion proofs, caches results, and exposes verification APIs. It accepts DSSE **only** from the **Signer** over mTLS, enforces chain‑of‑trust to Stella Ops roots, and returns `{uuid, index, proof, logURL}` to calling services (Scanner.WebService for SBOMs; backend for final reports; Excititor exports when configured).

 ---

--- a/docs/ARCHITECTURE_AUTHORITY.md
+++ b/docs/ARCHITECTURE_AUTHORITY.md
@@ -6,7 +6,7 @@

 ## 0) Mission & boundaries

-**Mission.** Provide **fast, local, verifiable** authentication for Stella Ops microservices and tools by minting **very short‑lived** OAuth2/OIDC tokens that are **sender‑constrained** (DPoP or mTLS‑bound). Support RBAC scopes, multi‑tenant claims, and deterministic validation for APIs (Scanner, Signer, Attestor, Vexer, Feedser, UI, CLI, Zastava).
+**Mission.** Provide **fast, local, verifiable** authentication for Stella Ops microservices and tools by minting **very short‑lived** OAuth2/OIDC tokens that are **sender‑constrained** (DPoP or mTLS‑bound). Support RBAC scopes, multi‑tenant claims, and deterministic validation for APIs (Scanner, Signer, Attestor, Excititor, Feedser, UI, CLI, Zastava).

 **Boundaries.**

@@ -43,7 +43,7 @@
 ```
 iss   = https://authority.<domain>
 sub   = <client_id or user_id>
-aud   = <service audience: signer|scanner|attestor|feedser|vexer|ui|zastava>
+aud   = <service audience: signer|scanner|attestor|feedser|excititor|ui|zastava>
 exp   = <unix ts>  (<= 300 s from iat)
 iat   = <unix ts>
 nbf   = iat - 30
@@ -140,7 +140,7 @@ plan?        = <plan name>              // optional hint for UIs; not used for e
 ### 4.1 Audiences

 * `signer` — only the **Signer** service should accept tokens with `aud=signer`.
-* `attestor`, `scanner`, `feedser`, `vexer`, `ui`, `zastava` similarly.
+* `attestor`, `scanner`, `feedser`, `excititor`, `ui`, `zastava` similarly.

 Services **must** verify `aud` and **sender constraint** (DPoP/mTLS) per their policy.

@@ -153,7 +153,7 @@ Services **must** verify `aud` and **sender constraint** (DPoP/mTLS) per their p
 | `scanner.scan`                     | Scanner.WebService | Submit scan jobs           |
 | `scanner.export`                   | Scanner.WebService | Export SBOMs               |
 | `scanner.read`                     | Scanner.WebService | Read catalog/SBOMs         |
-| `vex.read` / `vex.admin`           | Vexer              | Query/operate              |
+| `vex.read` / `vex.admin`           | Excititor              | Query/operate              |
 | `feedser.read` / `feedser.export`  | Feedser            | Query/exports              |
 | `ui.read` / `ui.admin`             | UI                 | View/admin                 |
 | `zastava.emit` / `zastava.enforce` | Scanner/Zastava    | Runtime events / admission |
--- a/docs/ARCHITECTURE_CLI.md
+++ b/docs/ARCHITECTURE_CLI.md
@@ -1,6 +1,6 @@
 # component_architecture_cli.md — **Stella Ops CLI** (2025Q4)

-> **Scope.** Implementation‑ready architecture for **Stella Ops CLI**: command surface, process model, auth (Authority/DPoP), integration with Scanner/Vexer/Feedser/Signer/Attestor, Buildx plug‑in management, offline kit behavior, packaging, observability, security posture, and CI ergonomics.
+> **Scope.** Implementation‑ready architecture for **Stella Ops CLI**: command surface, process model, auth (Authority/DPoP), integration with Scanner/Excititor/Feedser/Signer/Attestor, Buildx plug‑in management, offline kit behavior, packaging, observability, security posture, and CI ergonomics.

 ---

@@ -18,7 +18,7 @@

 * CLI **never** signs; it only calls **Signer**/**Attestor** via backend APIs when needed (e.g., `report --attest`).
 * CLI **does not** store long‑lived credentials beyond OS keychain; tokens are **short** (Authority OpToks).
-* Heavy work (scanning, merging, policy) is executed **server‑side** (Scanner/Vexer/Feedser).
+* Heavy work (scanning, merging, policy) is executed **server‑side** (Scanner/Excititor/Feedser).

 ---

@@ -77,7 +77,7 @@ src/

 * `policy get/set/apply` — fetch active policy, apply staged policy, compute digest.
 * `feedser export` — trigger/export canonical JSON or Trivy DB (admin).
-* `vexer export` — trigger/export consensus/raw claims (admin).
+* `excititor export` — trigger/export consensus/raw claims (admin).

 ### 2.5 Verification

@@ -91,8 +91,8 @@ src/

 ### 2.7 Offline kit

-* `offline kit pull` — fetch latest **Feedser JSON + Trivy DB + Vexer exports** as a tarball from a mirror.
-* `offline kit import <tar>` — upload the kit to on‑prem services (Feedser/Vexer).
+* `offline kit pull` — fetch latest **Feedser JSON + Trivy DB + Excititor exports** as a tarball from a mirror.
+* `offline kit import <tar>` — upload the kit to on‑prem services (Feedser/Excititor).
 * `offline kit status` — list current seed versions.

 ### 2.8 Utilities
@@ -122,7 +122,7 @@ src/
  * `scanner` for scan/export/report/diff
  * `signer` (indirect; usually backend calls Signer)
  * `attestor` for verify
-  * `feedser`/`vexer` for admin verbs
+  * `feedser`/`excititor` for admin verbs

 CLI rejects verbs if required scopes are missing.

@@ -168,7 +168,7 @@ cli:
    scanner: "https://scanner-web.internal"
    attestor: "https://attestor.internal"
    feedser: "https://feedser-web.internal"
-    vexer: "https://vexer-web.internal"
+    excititor: "https://excititor-web.internal"
  auth:
    audienceDefault: "scanner"
    deviceCode: true
@@ -263,7 +263,7 @@ Exit code: 2

 ## 13) Admin & advanced flags

-* `--authority`, `--scanner`, `--attestor`, `--feedser`, `--vexer` override config URLs.
+* `--authority`, `--scanner`, `--attestor`, `--feedser`, `--excititor` override config URLs.
 * `--no-color`, `--quiet`, `--json`.
 * `--timeout`, `--retries`, `--retry-backoff-ms`.
 * `--ca-bundle`, `--insecure` (dev only; prints warning).
--- a/docs/ARCHITECTURE_DEVOPS.md
+++ b/docs/ARCHITECTURE_DEVOPS.md
@@ -42,7 +42,7 @@ Semantic core + calendar tag:
 A release is a **bundle** of image digests + charts + manifests. All services in a bundle are **wire‑compatible**. Mixed minor versions are allowed within a bounded skew:

 * **Web UI ↔ backend**: `±1 minor`.
-* **Scanner ↔ Policy/Vexer/Feedser**: `±1 minor`.
+* **Scanner ↔ Policy/Excititor/Feedser**: `±1 minor`.
 * **Authority/Signer/Attestor triangle**: **must** be same minor (crypto and DPoP/mTLS binding rules).

 At startup, services **self‑advertise** their semver & channel; the UI surfaces **mismatch warnings**.
@@ -90,7 +90,7 @@ At startup, services **self‑advertise** their semver & channel; the UI surface

 **Gating policy**:

-* **Core images** (Authority, Scanner, Feedser, Vexer, Attestor, UI): public **read**.
+* **Core images** (Authority, Scanner, Feedser, Excititor, Attestor, UI): public **read**.
 * **Enterprise add‑ons** (if any) and **pre‑release**: private repos via OAuth2 token service.

 > Monetization lever is **signing** (PoE gate), not image pulls, so the core remains simple to consume.
@@ -115,7 +115,7 @@ At startup, services **self‑advertise** their semver & channel; the UI surface
    /attest/   DSSE bundles + Rekor proofs
    /charts/   Helm charts + values templates
    /compose/  docker-compose.yml + .env template
-    /plugins/  Feedser/Vexer connectors (restart-time)
+    /plugins/  Feedser/Excititor connectors (restart-time)
    /policy/   example policies
    /manifest/ release.yaml  (see §6.1)
  ```
@@ -170,7 +170,7 @@ helm install stella stellaops/platform \
  --set scanner.minio.endpoint=http://minio.stella.local:9000 \
  --set scanner.mongo.uri=mongodb://mongo/scanner \
  --set feedser.mongo.uri=mongodb://mongo/feedser \
-  --set vexer.mongo.uri=mongodb://mongo/vexer
+  --set excititor.mongo.uri=mongodb://mongo/excititor
 ```

 * Post‑install job registers **Authority clients** (Scanner, Signer, Attestor, UI) and prints **bootstrap** URLs and client credentials (sealed secrets).
@@ -185,7 +185,7 @@ helm install stella stellaops/platform \
  1. Authority (stateless, dual‑key rotation ready)
  2. Signer/Attestor (same minor)
  3. Scanner WebService & Workers
-  4. Feedser, then Vexer (schema migrations are expand/contract)
+  4. Feedser, then Excititor (schema migrations are expand/contract)
  5. UI last

 * **DB migrations** are **expand/contract**:
@@ -266,7 +266,7 @@ s3://stellaops/
  feedser/
    json/<exportId>/...
    trivy/<exportId>/...
-  vexer/
+  excititor/
    exports/<exportId>/...
  attestor/
    dsse/<bundleSha256>.json
@@ -289,14 +289,14 @@ s3://stellaops/
 ### 7.4 Mongo retention

 * **Scanner**: `runtime.events` use TTL (e.g., 30–90 days); **catalog** permanent.
-* **Feedser/Vexer**: raw docs keep **last N windows**; canonical stores permanent.
+* **Feedser/Excititor**: raw docs keep **last N windows**; canonical stores permanent.
 * **Attestor**: `entries` permanent; `dedupe` TTL 24–48h.

 ---

 ## 8) Observability & SLOs (operations)

-* **Uptime SLO**: 99.9% for Signer/Authority/Attestor; 99.5% for Scanner WebService; Vexer/Feedser 99.0%.
+* **Uptime SLO**: 99.9% for Signer/Authority/Attestor; 99.5% for Scanner WebService; Excititor/Feedser 99.0%.
 * **Error budgets**: tracked per month; dashboards show burn rates.
 * **Golden signals**:

@@ -410,8 +410,8 @@ services:
    deploy: { replicas: 4 }
  feedser:
    image: registry.stella-ops.org/stellaops/feedser@sha256:...
-  vexer:
-    image: registry.stella-ops.org/stellaops/vexer@sha256:...
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:...
  web-ui:
    image: registry.stella-ops.org/stellaops/web-ui@sha256:...
  mongo:
@@ -446,7 +446,7 @@ services:
 * `signer.requests_total{result="success"}/minute` > 0 (when scans occur).
 * `attestor.submit_latency_seconds{quantile=0.95}` < 0.3.
 * `scanner.scan_latency_seconds{quantile=0.95}` < target per image size.
-* `feedser.export.duration_seconds` stable; `vexer.consensus.conflicts_total` not exploding after policy changes.
+* `feedser.export.duration_seconds` stable; `excititor.consensus.conflicts_total` not exploding after policy changes.
 * MinIO `s3_requests_errors_total` near zero; Mongo `opcounters` hit expected baseline.

 ### Appendix B — Upgrade safety checklist
--- a/docs/ARCHITECTURE_EXCITITOR.md
+++ b/docs/ARCHITECTURE_EXCITITOR.md
@@ -1,6 +1,6 @@
-# component_architecture_vexer.md — **Stella Ops Vexer** (2025Q4)
+# component_architecture_excititor.md — **Stella Ops Excititor** (2025Q4)

-> **Scope.** This document specifies the **Vexer** service: its purpose, trust model, data structures, APIs, plug‑in contracts, storage schema, normalization/consensus algorithms, performance budgets, testing matrix, and how it integrates with Scanner, Policy, Feedser, and the attestation chain. It is implementation‑ready.
+> **Scope.** This document specifies the **Excititor** service: its purpose, trust model, data structures, APIs, plug‑in contracts, storage schema, normalization/consensus algorithms, performance budgets, testing matrix, and how it integrates with Scanner, Policy, Feedser, and the attestation chain. It is implementation‑ready.

 ---

@@ -10,9 +10,9 @@

 **Boundaries.**

-* Vexer **does not** decide PASS/FAIL. It supplies **evidence** (statuses + justifications + provenance weights).
-* Vexer preserves **conflicting claims** unchanged; consensus encodes how we would pick, but the raw set is always exportable.
-* VEX consumption is **backend‑only**: Scanner never applies VEX. The backend’s **Policy Engine** asks Vexer for status evidence and then decides what to show.
+* Excititor **does not** decide PASS/FAIL. It supplies **evidence** (statuses + justifications + provenance weights).
+* Excititor preserves **conflicting claims** unchanged; consensus encodes how we would pick, but the raw set is always exportable.
+* VEX consumption is **backend‑only**: Scanner never applies VEX. The backend’s **Policy Engine** asks Excititor for status evidence and then decides what to show.

 ---

@@ -52,7 +52,7 @@ VexClaim

  * `rollupStatus` (after policy weights/justification gates),
  * `sources[]` (winning + losing claims with weights & reasons),
-  * `policyRevisionId` (identifier of the Vexer policy used),
+  * `policyRevisionId` (identifier of the Excititor policy used),
  * `consensusDigest` (stable SHA‑256 over canonical JSON).
 * **Raw claims** export for auditing (unchanged, with provenance).
 * **Provider snapshots** (per source, last N days) for operator debugging.
@@ -76,13 +76,13 @@ All exports are **deterministic**, and (optionally) **attested** via DSSE and lo
 * **Fallback:** `oci:<registry>/<repo>@<digest>` for image‑level VEX.
 * **Special cases:** kernel modules, firmware, platforms → provider‑specific mapping helpers (connector captures provider’s product taxonomy → canonical `productKey`).

-> Vexer does not invent identities. If a provider cannot be mapped to purl/CPE/NVRA deterministically, we keep the native **product string** and mark the claim as **non‑joinable**; the backend will ignore it unless a policy explicitly whitelists that provider mapping.
+> Excititor does not invent identities. If a provider cannot be mapped to purl/CPE/NVRA deterministically, we keep the native **product string** and mark the claim as **non‑joinable**; the backend will ignore it unless a policy explicitly whitelists that provider mapping.

 ---

 ## 3) Storage schema (MongoDB)

-Database: `vexer`
+Database: `excititor`

 ### 3.1 Collections

@@ -246,7 +246,7 @@ public interface IVexConnector
 ### 6.1 Inputs

 * Set **S** of `VexClaim` for the key.
-* **Vexer policy snapshot**:
+* **Excititor policy snapshot**:

  * **weights** per provider tier and per provider overrides.
  * **justification gates** (e.g., require justification for `not_affected` to be acceptable).
@@ -327,8 +327,8 @@ GET  /providers/{id}/status      → last fetch, doc counts, signature stats
 ## 9) Configuration (YAML)

 ```yaml
-vexer:
-  mongo: { uri: "mongodb://mongo/vexer" }
+excititor:
+  mongo: { uri: "mongodb://mongo/excititor" }
  s3:
    endpoint: http://minio:9000
    bucket: stellaops
--- a/docs/ARCHITECTURE_FEEDSER.md
+++ b/docs/ARCHITECTURE_FEEDSER.md
@@ -1,6 +1,6 @@
 # component_architecture_feedser.md — **Stella Ops Feedser** (2025Q4)

-> **Scope.** Implementation‑ready architecture for **Feedser**: the vulnerability ingest/normalize/merge/export subsystem that produces deterministic advisory data for the Scanner + Policy + Vexer pipeline. Covers domain model, connectors, merge rules, storage schema, exports, APIs, performance, security, and test matrices.
+> **Scope.** Implementation‑ready architecture for **Feedser**: the vulnerability ingest/normalize/merge/export subsystem that produces deterministic advisory data for the Scanner + Policy + Excititor pipeline. Covers domain model, connectors, merge rules, storage schema, exports, APIs, performance, security, and test matrices.

 ---

--- a/docs/ARCHITECTURE_SCANNER.md
+++ b/docs/ARCHITECTURE_SCANNER.md
@@ -1,6 +1,6 @@
 # component_architecture_scanner.md — **Stella Ops Scanner** (2025Q4)

-> **Scope.** Implementation‑ready architecture for the **Scanner** subsystem: WebService, Workers, analyzers, SBOM assembly (inventory & usage), per‑layer caching, three‑way diffs, artifact catalog (MinIO+Mongo), attestation hand‑off, and scale/security posture. This document is the contract between the scanning plane and everything else (Policy, Vexer, Feedser, UI, CLI).
+> **Scope.** Implementation‑ready architecture for the **Scanner** subsystem: WebService, Workers, analyzers, SBOM assembly (inventory & usage), per‑layer caching, three‑way diffs, artifact catalog (MinIO+Mongo), attestation hand‑off, and scale/security posture. This document is the contract between the scanning plane and everything else (Policy, Excititor, Feedser, UI, CLI).

 ---

@@ -10,7 +10,7 @@

 **Boundaries.**

-* Scanner **does not** produce PASS/FAIL. The backend (Policy + Vexer + Feedser) decides presentation and verdicts.
+* Scanner **does not** produce PASS/FAIL. The backend (Policy + Excititor + Feedser) decides presentation and verdicts.
 * Scanner **does not** keep third‑party SBOM warehouses. It may **bind** to existing attestations for exact hashes.
 * Core analyzers are **deterministic** (no fuzzy identity). Optional heuristic plug‑ins (e.g., patch‑presence) run under explicit flags and never contaminate the core SBOM.

--- a/docs/ARCHITECTURE_SIGNER.md
+++ b/docs/ARCHITECTURE_SIGNER.md
@@ -223,7 +223,7 @@ Supported **predicate types** (extensible):

 * `https://stella-ops.org/attestations/sbom/1` (SBOM emissions)
 * `https://stella-ops.org/attestations/report/1` (final PASS/FAIL reports)
-* `https://stella-ops.org/attestations/vex-export/1` (Vexer exports; optional)
+* `https://stella-ops.org/attestations/vex-export/1` (Excititor exports; optional)

 **Validation**:

--- a/docs/ARCHITECTURE_UI.md
+++ b/docs/ARCHITECTURE_UI.md
@@ -1,6 +1,6 @@
 # component_architecture_web_ui.md — **Stella Ops Web UI** (2025Q4)

-> **Scope.** Implementation‑ready architecture for the **Angular SPA** that operators and developers use to drive Stella Ops. This document defines UX surfaces, module boundaries, data flows, auth, RBAC, real‑time updates, performance targets, i18n/a11y, security headers, testing and deployment. The UI is a *consumer* of backend APIs (Scanner, Policy, Vexer, Feedser, Attestor, Authority) and never performs scanning, merging, or signing on its own.
+> **Scope.** Implementation‑ready architecture for the **Angular SPA** that operators and developers use to drive Stella Ops. This document defines UX surfaces, module boundaries, data flows, auth, RBAC, real‑time updates, performance targets, i18n/a11y, security headers, testing and deployment. The UI is a *consumer* of backend APIs (Scanner, Policy, Excititor, Feedser, Attestor, Authority) and never performs scanning, merging, or signing on its own.

 ---

@@ -10,7 +10,7 @@

 * Scans (status, SBOMs, diffs, EntryTrace, attestation).
 * Policy management (rules, exemptions, VEX consumption view).
-* Vulnerability intel (Feedser status), VEX consensus exploration (Vexer).
+* Vulnerability intel (Feedser status), VEX consensus exploration (Excititor).
 * Runtime posture (Zastava observer + admission).
 * Admin operations (tenants, tokens, quotas, licensing posture).

@@ -86,7 +86,7 @@ Each feature folder builds as a **standalone route** (lazy loaded). All HTTP sha
 * **VEX inclusion controls**: weight sliders (visualization only), provider allow/deny toggles.
 * **Preview**: select SBOM (or image digest) → show verdict under staged policy.

-### 3.5 Vexer
+### 3.5 Excititor

 * **Claims explorer**: search by vulnId/productKey/provider; show raw claim (status, justification, evidence).
 * **Consensus view**: rollup per (vuln, product) with accepted/rejected sources, weights, timestamps.
@@ -136,7 +136,7 @@ Each feature folder builds as a **standalone route** (lazy loaded). All HTTP sha

 * **`core/http/api-client.ts`** centralizes:

-  * Base URLs (Scanner, Vexer, Feedser, Attestor).
+  * Base URLs (Scanner, Excititor, Feedser, Attestor).
  * **Retry** policies on idempotent GETs (backoff + jitter).
  * **Problem+JSON** parser → uniform error toasts with correlation ID.
  * **SSE** helper (EventSource) with auto‑reconnect & backpressure.
@@ -144,7 +144,7 @@ Each feature folder builds as a **standalone route** (lazy loaded). All HTTP sha

 * Typed API clients (DTOs in `core/api/models.ts`):

-  * `ScannerApi`, `PolicyApi`, `VexerApi`, `FeedserApi`, `AttestorApi`, `AuthorityApi`.
+  * `ScannerApi`, `PolicyApi`, `ExcititorApi`, `FeedserApi`, `AttestorApi`, `AuthorityApi`.

 **DTO examples (abbrev):**

@@ -184,7 +184,7 @@ export interface VexConsensus {

 * **Huge tables** rendered with **virtual scrolling** (CDK Virtual Scroll); sort/filter performed client‑side for ≤ 20k rows; beyond that, server‑side queries via BOM‑Index endpoints.
 * **Component row** shows purl, version, origin (OS pkg / metadata / linker / attested), licenses, and **used** badge (Usage view).
-* **Diff**: compact heatmap per layer; clicking opens a right‑pane with evidence: introducing paths, file hashes, VEX notes (from Vexer consensus) and links to advisories (Feedser).
+* **Diff**: compact heatmap per layer; clicking opens a right‑pane with evidence: introducing paths, file hashes, VEX notes (from Excititor consensus) and links to advisories (Feedser).

 ---

--- a/docs/EXCITITOR_SCORRING.md
+++ b/docs/EXCITITOR_SCORRING.md
@@ -1,6 +1,6 @@
 ## Status

-This document tracks the future-looking risk scoring model for Vexer. The calculation below is not active yet; Sprint 7 work will add the required schema fields, policy controls, and services. Until that ships, Vexer emits consensus statuses without numeric scores.
+This document tracks the future-looking risk scoring model for Excititor. The calculation below is not active yet; Sprint 7 work will add the required schema fields, policy controls, and services. Until that ships, Excititor emits consensus statuses without numeric scores.

 ## Scoring model (target state)

@@ -19,8 +19,8 @@ Safeguards: freeze boosts when product identity is unknown, clamp outputs ≥0,

 | Phase | Scope | Artifacts |
 | --- | --- | --- |
-| **Phase 1 – Schema foundations** | Extend Vexer consensus/claims and Feedser canonical advisories with severity, KEV, EPSS, and expose α/β + weight ceilings in policy. | Sprint 7 tasks `VEXER-CORE-02-001`, `VEXER-POLICY-02-001`, `VEXER-STORAGE-02-001`, `FEEDCORE-ENGINE-07-001`. |
-| **Phase 2 – Deterministic score engine** | Implement a scoring component that executes alongside consensus and persists score envelopes with hashes. | Planned task `VEXER-CORE-02-002` (backlog). |
+| **Phase 1 – Schema foundations** | Extend Excititor consensus/claims and Feedser canonical advisories with severity, KEV, EPSS, and expose α/β + weight ceilings in policy. | Sprint 7 tasks `EXCITITOR-CORE-02-001`, `EXCITITOR-POLICY-02-001`, `EXCITITOR-STORAGE-02-001`, `FEEDCORE-ENGINE-07-001`. |
+| **Phase 2 – Deterministic score engine** | Implement a scoring component that executes alongside consensus and persists score envelopes with hashes. | Planned task `EXCITITOR-CORE-02-002` (backlog). |
 | **Phase 3 – Surfacing & enforcement** | Expose scores via WebService/CLI, integrate with Feedser noise priors, and enforce policy-based suppressions. | To be scheduled after Phase 2. |

 ## Data model (after Phase 1)
@@ -60,7 +60,7 @@ Safeguards: freeze boosts when product identity is unknown, clamp outputs ≥0,

 ## Operational guidance

-* **Inputs**: Feedser delivers severity/KEV/EPSS via the advisory event log; Vexer connectors load VEX statements. Policy owns trust tiers and coefficients.
+* **Inputs**: Feedser delivers severity/KEV/EPSS via the advisory event log; Excititor connectors load VEX statements. Policy owns trust tiers and coefficients.
 * **Processing**: the scoring engine (Phase 2) runs next to consensus, storing results with deterministic hashes so exports and attestations can reference them.
 * **Consumption**: WebService/CLI will return consensus plus score; scanners may suppress findings only when policy-authorized VEX gating and signed score envelopes agree.

--- a/docs/README.md
+++ b/docs/README.md
@@ -37,7 +37,7 @@ Everything here is open‑source and versioned — when you check out a git ta
 - **08 – Module Architecture Dossiers**  
  - [Scanner](ARCHITECTURE_SCANNER.md)  
  - [Feedser](ARCHITECTURE_FEEDSER.md)  
-  - [Vexer](ARCHITECTURE_VEXER.md)  
+  - [Excititor](ARCHITECTURE_EXCITITOR.md)  
  - [Signer](ARCHITECTURE_SIGNER.md)  
  - [Attestor](ARCHITECTURE_ATTESTOR.md)  
  - [Authority](ARCHITECTURE_AUTHORITY.md)  
@@ -48,9 +48,9 @@ Everything here is open‑source and versioned — when you check out a git ta
 - **09 – [API & CLI Reference](09_API_CLI_REFERENCE.md)**
 - **10 – [Plug‑in SDK Guide](10_PLUGIN_SDK_GUIDE.md)**
 - **10 – [Feedser CLI Quickstart](10_FEEDSER_CLI_QUICKSTART.md)**
- **30 – [Vexer Connector Packaging Guide](dev/30_VEXER_CONNECTOR_GUIDE.md)**
+- **30 – [Excititor Connector Packaging Guide](dev/30_EXCITITOR_CONNECTOR_GUIDE.md)**
 - **30 – Developer Templates**  
-  - [Vexer Connector Skeleton](dev/templates/vexer-connector/)
+  - [Excititor Connector Skeleton](dev/templates/excititor-connector/)
 - **11 – [Authority Service](11_AUTHORITY.md)**
 - **11 – [Data Schemas](11_DATA_SCHEMAS.md)**
 - **12 – [Performance Workbook](12_PERFORMANCE_WORKBOOK.md)**
--- a/docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md
+++ b/docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md
@@ -1,18 +1,18 @@
-# Vexer Connector Packaging Guide
+# Excititor Connector Packaging Guide

-> **Audience:** teams implementing new Vexer provider plug‑ins (CSAF feeds,
+> **Audience:** teams implementing new Excititor provider plug‑ins (CSAF feeds,
 > OpenVEX attestations, etc.)  
-> **Prerequisites:** read `docs/ARCHITECTURE_VEXER.md` and the module
-> `AGENTS.md` in `src/StellaOps.Vexer.Connectors.Abstractions/`.
+> **Prerequisites:** read `docs/ARCHITECTURE_EXCITITOR.md` and the module
+> `AGENTS.md` in `src/StellaOps.Excititor.Connectors.Abstractions/`.

-The Vexer connector SDK gives you:
+The Excititor connector SDK gives you:

 - `VexConnectorBase` – deterministic logging, SHA‑256 helpers, time provider.
 - `VexConnectorOptionsBinder` – strongly typed YAML/JSON configuration binding.
 - `IVexConnectorOptionsValidator<T>` – custom validation hooks (offline defaults, auth invariants).
 - `VexConnectorDescriptor` & metadata helpers for consistent telemetry.

-This guide explains how to package a connector so the Vexer Worker/WebService
+This guide explains how to package a connector so the Excititor Worker/WebService
 can load it via the plugin host.

 ---
@@ -20,12 +20,12 @@ can load it via the plugin host.
 ## 1. Project layout

 Start from the template under
-`docs/dev/templates/vexer-connector/`. It contains:
+`docs/dev/templates/excititor-connector/`. It contains:

 ```
-Vexer.MyConnector/
+Excititor.MyConnector/
 ├── src/
-│   ├── Vexer.MyConnector.csproj
+│   ├── Excititor.MyConnector.csproj
 │   ├── MyConnectorOptions.cs
 │   ├── MyConnector.cs
 │   └── MyConnectorPlugin.cs
@@ -36,8 +36,8 @@ Vexer.MyConnector/
 Key points:

 - Target `net10.0`, enable `TreatWarningsAsErrors`, reference the
-  `StellaOps.Vexer.Connectors.Abstractions` project (or NuGet once published).
- Keep project ID prefix `StellaOps.Vexer.Connectors.<Provider>` so the
+  `StellaOps.Excititor.Connectors.Abstractions` project (or NuGet once published).
+- Keep project ID prefix `StellaOps.Excititor.Connectors.<Provider>` so the
  plugin loader can discover it with the default search pattern.

 ### 1.1 csproj snippet
@@ -51,7 +51,7 @@ Key points:
    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
  </PropertyGroup>
  <ItemGroup>
-    <ProjectReference Include="..\..\..\src\StellaOps.Vexer.Connectors.Abstractions\StellaOps.Vexer.Connectors.Abstractions.csproj" />
+    <ProjectReference Include="..\..\..\src\StellaOps.Excititor.Connectors.Abstractions\StellaOps.Excititor.Connectors.Abstractions.csproj" />
  </ItemGroup>
 </Project>
 ```
@@ -135,7 +135,7 @@ this contract today.
 public sealed class MyConnectorPlugin : IConnectorPlugin
 {
    private static readonly VexConnectorDescriptor Descriptor =
-        new("vexer:my-provider", VexProviderKind.Vendor, "My Provider VEX");
+        new("excititor:my-provider", VexProviderKind.Vendor, "My Provider VEX");

    public string Name => Descriptor.DisplayName;

@@ -150,8 +150,8 @@ public sealed class MyConnectorPlugin : IConnectorPlugin
 }
 ```

-> **Note:** the Vexer Worker currently instantiates connectors through the
-> shared `IConnectorPlugin` contract. Once a dedicated Vexer plugin interface
+> **Note:** the Excititor Worker currently instantiates connectors through the
+> shared `IConnectorPlugin` contract. Once a dedicated Excititor plugin interface
 > lands you simply swap the base interface; the descriptor/connector code
 > remains unchanged.

@@ -159,18 +159,18 @@ Provide a manifest describing the assembly for operational tooling:

 ```yaml
 # manifest/connector.manifest.yaml
-id: vexer-my-provider
-assembly: StellaOps.Vexer.Connectors.MyProvider.dll
-entryPoint: StellaOps.Vexer.Connectors.MyProvider.MyConnectorPlugin
+id: excititor-my-provider
+assembly: StellaOps.Excititor.Connectors.MyProvider.dll
+entryPoint: StellaOps.Excititor.Connectors.MyProvider.MyConnectorPlugin
 description: >
  Official VEX feed for ExampleCorp products (CSAF JSON, daily updates).
 tags:
-  - vexer
+  - excititor
  - csaf
  - vendor
 ```

-Store manifests under `/opt/stella/vexer/plugins/<connector>/manifest/` in
+Store manifests under `/opt/stella/excititor/plugins/<connector>/manifest/` in
 production so the deployment tooling can inventory and verify plug‑ins.

 ---
@@ -178,9 +178,9 @@ production so the deployment tooling can inventory and verify plug‑ins.
 ## 4. Packaging workflow

 1. `dotnet publish -c Release` → copy the published DLLs to
-   `/opt/stella/vexer/plugins/<Provider>/`.
+   `/opt/stella/excititor/plugins/<Provider>/`.
 2. Place `connector.manifest.yaml` next to the binaries.
-3. Restart the Vexer Worker or WebService (hot reload not supported yet).
+3. Restart the Excititor Worker or WebService (hot reload not supported yet).
 4. Verify logs: `VEX-ConnectorLoader` should list the connector descriptor.

 ### 4.1 Offline kits
@@ -195,7 +195,7 @@ production so the deployment tooling can inventory and verify plug‑ins.
 ## 5. Testing checklist

 - Unit tests around options binding & validators.
- Integration tests (future `StellaOps.Vexer.Connectors.Abstractions.Tests`)
+- Integration tests (future `StellaOps.Excititor.Connectors.Abstractions.Tests`)
  verifying deterministic logging scopes:
  `logger.BeginScope` should produce `vex.connector.id`, `vex.connector.kind`,
  and `vex.connector.operation`.
@@ -206,7 +206,7 @@ production so the deployment tooling can inventory and verify plug‑ins.

 ## 6. Reference template

-See `docs/dev/templates/vexer-connector/` for the full quick‑start including:
+See `docs/dev/templates/excititor-connector/` for the full quick‑start including:

 - Sample options class + validator.
 - Connector implementation inheriting from `VexConnectorBase`.
--- a/docs/dev/templates/excititor-connector/manifest/connector.manifest.yaml
+++ b/docs/dev/templates/excititor-connector/manifest/connector.manifest.yaml
@@ -0,0 +1,8 @@
+id: excititor-my-provider
+assembly: StellaOps.Excititor.Connectors.MyProvider.dll
+entryPoint: StellaOps.Excititor.Connectors.MyProvider.MyConnectorPlugin
+description: |
+  Example connector template. Replace metadata before shipping.
+tags:
+  - excititor
+  - template
--- a/docs/dev/templates/excititor-connector/src/Excititor.MyConnector.csproj
+++ b/docs/dev/templates/excititor-connector/src/Excititor.MyConnector.csproj
@@ -7,6 +7,6 @@
  </PropertyGroup>
  <ItemGroup>
    <!-- Adjust the relative path when copying this template into a repo -->
-    <ProjectReference Include="..\..\..\..\src\StellaOps.Vexer.Connectors.Abstractions\StellaOps.Vexer.Connectors.Abstractions.csproj" />
+    <ProjectReference Include="..\..\..\..\src\StellaOps.Excititor.Connectors.Abstractions\StellaOps.Excititor.Connectors.Abstractions.csproj" />
  </ItemGroup>
 </Project>
--- a/docs/dev/templates/excititor-connector/src/MyConnector.cs
+++ b/docs/dev/templates/excititor-connector/src/MyConnector.cs
@@ -2,10 +2,10 @@ using System.Collections.Generic;
 using System.Collections.Immutable;
 using System.Runtime.CompilerServices;
 using Microsoft.Extensions.Logging;
-using StellaOps.Vexer.Connectors.Abstractions;
-using StellaOps.Vexer.Core;
+using StellaOps.Excititor.Connectors.Abstractions;
+using StellaOps.Excititor.Core;

-namespace StellaOps.Vexer.Connectors.MyProvider;
+namespace StellaOps.Excititor.Connectors.MyProvider;

 public sealed class MyConnector : VexConnectorBase
 {
--- a/docs/dev/templates/excititor-connector/src/MyConnectorOptions.cs
+++ b/docs/dev/templates/excititor-connector/src/MyConnectorOptions.cs
@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;

-namespace StellaOps.Vexer.Connectors.MyProvider;
+namespace StellaOps.Excititor.Connectors.MyProvider;

 public sealed class MyConnectorOptions
 {
--- a/docs/dev/templates/excititor-connector/src/MyConnectorOptionsValidator.cs
+++ b/docs/dev/templates/excititor-connector/src/MyConnectorOptionsValidator.cs
@@ -1,7 +1,7 @@
 using System.Collections.Generic;
-using StellaOps.Vexer.Connectors.Abstractions;
+using StellaOps.Excititor.Connectors.Abstractions;

-namespace StellaOps.Vexer.Connectors.MyProvider;
+namespace StellaOps.Excititor.Connectors.MyProvider;

 public sealed class MyConnectorOptionsValidator : IVexConnectorOptionsValidator<MyConnectorOptions>
 {
--- a/docs/dev/templates/excititor-connector/src/MyConnectorPlugin.cs
+++ b/docs/dev/templates/excititor-connector/src/MyConnectorPlugin.cs
@@ -1,15 +1,15 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using StellaOps.Plugin;
-using StellaOps.Vexer.Connectors.Abstractions;
-using StellaOps.Vexer.Core;
+using StellaOps.Excititor.Connectors.Abstractions;
+using StellaOps.Excititor.Core;

-namespace StellaOps.Vexer.Connectors.MyProvider;
+namespace StellaOps.Excititor.Connectors.MyProvider;

 public sealed class MyConnectorPlugin : IConnectorPlugin
 {
    private static readonly VexConnectorDescriptor Descriptor = new(
-        id: "vexer:my-provider",
+        id: "excititor:my-provider",
        kind: VexProviderKind.Vendor,
        displayName: "My Provider VEX");

--- a/docs/dev/templates/vexer-connector/manifest/connector.manifest.yaml
+++ b/docs/dev/templates/vexer-connector/manifest/connector.manifest.yaml
@@ -1,8 +0,0 @@
-id: vexer-my-provider
-assembly: StellaOps.Vexer.Connectors.MyProvider.dll
-entryPoint: StellaOps.Vexer.Connectors.MyProvider.MyConnectorPlugin
-description: |
-  Example connector template. Replace metadata before shipping.
-tags:
-  - vexer
-  - template