git.stella-ops.org

stella-ops.org/git.stella-ops.org

Fork 0

Commit Graph

Author	SHA1	Message	Date
master	dd98d6c3f6	docs(ops): connector setup guide — reflect actual state after 2026-04-22 survey Revised to reflect verified end-to-end state on the local dev stack: Concelier (9 wired backend connectors, 8 healthy, 787 advisories ingested): - redhat (651 docs), osv (59), debian (41), suse (26), alpine (8), ubuntu (2), auscert (0), vmware (0), stella-mirror (404 on dev — OK) - all respond to `sources check` probes Excititor (4 wired providers): - excititor:{redhat, ubuntu, cisco, oracle} all enabled - Cisco VEX uses the public CSAF feed (unauthenticated) — different from the Concelier advisory side of Cisco which would need PSIRT OAuth Aspirational catalog (~65 entries): present in `stellaops-cli sources list` but NOT backend-wired. `sources enable <id>` returns OK but is a no-op because no source_type → connector mapping exists. Tracked in SPRINT_20260422_004 / _007. Credential steps (GHSA, Cisco PSIRT, Microsoft MSRC) retained but flagged as ready-for-when-the-connector-backend-lands. Currently all three connectors they'd apply to are in the aspirational catalog only. Operator commands documented + known CLI asymmetry (Concelier.Advisories.Read policy needs aoc:verify scope which stellaops-cli client can't mint; affects read endpoints only, write path works). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 20:55:37 +03:00
master	a821bb4a65	docs(ops): connector setup guide — credential creation + enablement paths Operator reference for bringing up the full Concelier + Excititor connector estate. Authored alongside the 2026-04-22 session's connector setup work. Covers: - Credential requirements matrix: GHSA, Cisco PSIRT, MSRC require operator-created credentials; all other ~26 connectors use public endpoints. - Exact click-paths for creating credentials: - GitHub PAT at github.com/settings/tokens (read:packages + public_repo scopes, SSO authorize if org requires). - Cisco PSIRT openVuln OAuth2 client at apiconsole.cisco.com/apps. - Microsoft Entra confidential app + client secret + Security Updates API permission at entra.microsoft.com. - Where to paste credentials in the UI (/setup/integrations) and CLI (stellaops-cli db connectors configure ...). - Retained-secret contract: server never echoes secrets; UI shows a retained-secret badge; unrelated edits don't require re-entering. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 20:43:41 +03:00

Author

SHA1

Message

Date

master

dd98d6c3f6

docs(ops): connector setup guide — reflect actual state after 2026-04-22 survey

Revised to reflect verified end-to-end state on the local dev stack:

Concelier (9 wired backend connectors, 8 healthy, 787 advisories ingested):
- redhat (651 docs), osv (59), debian (41), suse (26), alpine (8),
  ubuntu (2), auscert (0), vmware (0), stella-mirror (404 on dev — OK)
- all respond to `sources check` probes

Excititor (4 wired providers):
- excititor:{redhat, ubuntu, cisco, oracle} all enabled
- Cisco VEX uses the public CSAF feed (unauthenticated) — different
  from the Concelier advisory side of Cisco which would need PSIRT OAuth

Aspirational catalog (~65 entries): present in `stellaops-cli sources list`
but NOT backend-wired. `sources enable <id>` returns OK but is a no-op
because no source_type → connector mapping exists. Tracked in
SPRINT_20260422_004 / _007.

Credential steps (GHSA, Cisco PSIRT, Microsoft MSRC) retained but flagged
as ready-for-when-the-connector-backend-lands. Currently all three
connectors they'd apply to are in the aspirational catalog only.

Operator commands documented + known CLI asymmetry (Concelier.Advisories.Read
policy needs aoc:verify scope which stellaops-cli client can't mint;
affects read endpoints only, write path works).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-22 20:55:37 +03:00

master

a821bb4a65

docs(ops): connector setup guide — credential creation + enablement paths

Operator reference for bringing up the full Concelier + Excititor
connector estate. Authored alongside the 2026-04-22 session's connector
setup work.

Covers:
- Credential requirements matrix: GHSA, Cisco PSIRT, MSRC require
  operator-created credentials; all other ~26 connectors use public
  endpoints.
- Exact click-paths for creating credentials:
  - GitHub PAT at github.com/settings/tokens (read:packages +
    public_repo scopes, SSO authorize if org requires).
  - Cisco PSIRT openVuln OAuth2 client at apiconsole.cisco.com/apps.
  - Microsoft Entra confidential app + client secret + Security
    Updates API permission at entra.microsoft.com.
- Where to paste credentials in the UI (/setup/integrations) and CLI
  (stellaops-cli db connectors configure ...).
- Retained-secret contract: server never echoes secrets; UI shows a
  retained-secret badge; unrelated edits don't require re-entering.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-22 20:43:41 +03:00

2 Commits