# Advisories and VEX

Purpose
- Display Concelier advisories and Excititor VEX consensus without mutating upstream data.
- Highlight provenance, conflicts, and verification status under Aggregation-Only rules.

Access and dependencies
- Routes: /console/advisories and /console/vex.
- Scopes: advisory.read, vex.read; advisory.verify and vex.verify for verification actions; downloads.read for exports.
- Depends on Concelier and Excititor aggregation APIs and Authority tenancy.
- Feature flags: advisoryExplorer.enabled, vexExplorer.enabled, aggregation.conflictIndicators.

Layout
- Shared header with tenant badge, global filters, status ticker, and actions.
- Tabs for Advisories and VEX; last view remembered per tenant.
- Left rail includes saved views and provider filters.

Advisory grid
- Columns: vulnerability ID, title, source set, last merged, severity, KEV flag, affected count, merge hash.
- Source chips list providers with precedence and timestamps.
- Filters: ID search, provider, severity, KEV, affected count, time window.
- Actions: open detail, compare sources, queue verify, copy CLI.

Advisory detail drawer
- Summary cards: title, timestamps, merge hash, total sources, exploited flag.
- Sources timeline with signature status, precedence, and raw links.
- Affected products table with semver or distro view toggle.
- Conflict indicators for severity, fixed versions, affected sets.
- References list and raw JSON viewer.
- CLI parity for show, sources, and export commands.

VEX explorer
- Consensus table keyed by vulnerability and product.
- Status badges: affected, not_affected, fixed, under_investigation.
- Provider breakdown shows accepted or ignored claims with weights and justification.
- Filters: product PURL, status, provider, justification code, confidence threshold.
- Saved views for common triage scenarios.

VEX detail drawer
- Consensus summary with policy revision and confidence data.
- Claims list grouped by provider tier with provenance and supersedes chains.
- Conflict explainers show why claims were ignored.
- Timeline events with correlation IDs.
- Raw JSON viewer with CLI parity.

Provenance and raw viewers
- Provenance banner shows source URI, document digest, signature status, timestamps, collector version.
- Raw documents are read-only and include DSSE bundle download when available.
- Log pivot links copy correlation ID queries.

Conflict indicators and AOC alignment
- Conflicts are surfaced rather than merged in the UI.
- Winning values and precedence are shown from Concelier metadata.
- UI copy reminds users policy decisions happen elsewhere.

Verification workflows
- Verify actions call Concelier or Excititor endpoints scoped by tenant and filters.
- Results summarize documents checked, signatures verified, and ERR_AOC codes.
- Verification history is accessible from the status ticker.

Exports and automation
- Advisory exports: normalized advisory, affected products CSV, source bundle.
- VEX exports: consensus snapshot, raw claims, provider deltas.
- Export manifests include merge hash or consensus digest and signature state.
- Webhook subscription snippets for export completion.

Real-time updates
- SSE refreshes advisory and VEX grids with delta badges.
- Status ticker shows ingest lag and verification queue depth.

Offline behavior
- Snapshot banner shows staleness and disables live verification.
- Raw downloads use local snapshot paths with checksum guidance.
- Exports queue locally with removable media instructions.
- Tenants missing from the snapshot are hidden.