# Concelier NVD Connector - Operations Runbook

_Last updated: 2026-01-16_

## 1. Overview
The NVD connector ingests CVE records and CVSS metadata from the NVD feed to enrich advisory observations.

## 2. Authentication
- Requires an API key configured in `concelier.yaml` under `sources.nvd.auth`.

## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
  sources:
    nvd:
      baseUri: "<nvd-api-base>"
      auth:
        type: "api-key"
        header: "apiKey"
      maxDocumentsPerFetch: 20
      fetchTimeout: "00:00:45"
      requestDelay: "00:00:00"
```

## 4. Offline and air-gapped deployments
- Mirror the NVD feed into the Offline Kit and repoint `baseUri` to the mirror.
- Keep fetch ordering deterministic by maintaining stable paging settings.

## 5. Common failure modes
- Missing/invalid API key.
- Upstream rate limits.
- Schema validation errors on malformed payloads.