# AGENTS
## Role
Implement the Apple security advisories connector to ingest Apple HT/HT2 security bulletins for macOS/iOS/tvOS/visionOS.

## Scope
- Identify canonical Apple security bulletin feeds (HTML, RSS, JSON) and change detection strategy.
- Implement fetch/cursor pipeline with retry/backoff, handling localisation/HTML quirks.
- Parse advisories to extract summary, affected products/versions, mitigation, CVEs.
- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and range primitives (SemVer + vendor extensions).
- Produce deterministic fixtures and regression tests.

## Participants
- `Source.Common` (HTTP/fetch utilities, DTO storage).
- `Storage.Postgres` (raw/document/DTO/advisory stores, source state).
- `Concelier.Models` (canonical structures + range primitives).
- `Concelier.Testing` (integration fixtures/snapshots).

## Interfaces & Contracts
- Job kinds: `apple:fetch`, `apple:parse`, `apple:map`.
- Persist upstream metadata (ETag/Last-Modified or revision IDs) for incremental updates.
- Alias set should include Apple HT IDs and CVE IDs.

## In/Out of scope
In scope:
- Security advisories covering Apple OS/app updates.
- Range primitives capturing device/OS version ranges.

Out of scope:
- Release notes unrelated to security.

## Observability & Security Expectations
- Log fetch/mapping statistics and failure details.
- Sanitize HTML while preserving structured data tables.
- Respect upstream rate limits; record failures with backoff.

## Tests
- Add `StellaOps.Concelier.Connector.Vndr.Apple.Tests` covering fetch/parse/map with fixtures.
- Snapshot canonical advisories; support fixture regeneration via env flag.
- Ensure deterministic ordering/time normalisation.

## Required Reading
- `docs/modules/concelier/architecture.md`
- `docs/modules/platform/architecture-overview.md`

## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.