# VEX Source Registration and Verification Pipeline

## Module
Excititor

## Status
VERIFIED

## Description
VEX source onboarding pipeline with scheduled provider runners, orchestration, signature verification, and issuer directory integration for multi-vendor VEX ingestion.

## Implementation Details
- **Modules**: `src/Concelier/StellaOps.Excititor.Worker/`, `src/Concelier/StellaOps.Excititor.WebService/`, `src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Abstractions/`, `src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/`
- **Key Classes**:
  - `VexWorkerHostedService` (`src/Concelier/StellaOps.Excititor.Worker/Scheduling/VexWorkerHostedService.cs`) - background service scheduling provider runs
  - `DefaultVexProviderRunner` (`src/Concelier/StellaOps.Excititor.Worker/Scheduling/DefaultVexProviderRunner.cs`) - runs VEX provider connectors on schedule
  - `OrchestratorVexProviderRunner` (`src/Concelier/StellaOps.Excititor.Worker/Orchestration/OrchestratorVexProviderRunner.cs`) - orchestrator-managed provider runner
  - `VexWorkerOrchestratorClient` (`src/Concelier/StellaOps.Excititor.Worker/Orchestration/VexWorkerOrchestratorClient.cs`) - communicates with orchestrator for work assignment
  - `VexWorkerHeartbeatService` (`src/Concelier/StellaOps.Excititor.Worker/Orchestration/VexWorkerHeartbeatService.cs`) - sends heartbeats to orchestrator
  - `VexWorkerPluginCatalogLoader` (`src/Concelier/StellaOps.Excititor.Worker/Plugins/VexWorkerPluginCatalogLoader.cs`) - loads available VEX connector plugins
  - `VexConnectorBase` (`src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorBase.cs`) - base class for VEX source connectors
  - `VexConnectorDescriptor` (`src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorDescriptor.cs`) - descriptor metadata for connectors
  - `CiscoCsafConnector` (`src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/CiscoCsafConnector.cs`) - public Cisco CSAF connector exercised in the live fallback and cursor-preservation regression checks
  - `WorkerSignatureVerifier` (`src/Concelier/StellaOps.Excititor.Worker/Signature/WorkerSignatureVerifier.cs`) - verifies signatures during ingestion
  - `VexWorkerSchedule` (`src/Concelier/StellaOps.Excititor.Worker/Scheduling/VexWorkerSchedule.cs`) - schedule configuration for provider runs
  - `MirrorRegistrationEndpoints` (`src/Concelier/StellaOps.Excititor.WebService/Endpoints/MirrorRegistrationEndpoints.cs`) - REST endpoints for mirror/source registration
- **Interfaces**: `IVexProviderRunner`, `IVexConsensusRefreshScheduler`, `IVexWorkerOrchestratorClient`
- **Source**: Feature matrix scan

## E2E Test Plan
- [ ] Register a new VEX source via `MirrorRegistrationEndpoints` and verify it appears in the plugin catalog
- [ ] Verify `VexWorkerHostedService` schedules provider runs based on `VexWorkerSchedule` configuration
- [ ] Verify `DefaultVexProviderRunner` executes the connector and ingests VEX documents
- [ ] Verify `WorkerSignatureVerifier` validates signatures on ingested documents during the pipeline
- [ ] Verify `VexWorkerHeartbeatService` sends heartbeats to the orchestrator during long-running ingestion
- [ ] Verify `VexWorkerPluginCatalogLoader` discovers and loads all available vendor connectors (Ubuntu, Red Hat, Oracle, Microsoft, Cisco, SUSE)

## Verification
- Re-verified on 2026-04-22 via `run-002`.
- Tier 0: Current `src/Concelier/...` source files confirmed present on disk; stale legacy `src/Excititor/...` references from the previous checked record were normalized during this QA cycle.
- Tier 1: `dotnet build` passed for `src/Concelier/StellaOps.Excititor.Worker/StellaOps.Excititor.Worker.csproj` with 0 warnings and 0 errors. Targeted xUnit helper runs also passed for `CiscoCsafConnectorTests` (8/8) and `VexWorkerOrchestratorClientTests` (10/10).
- Tier 2d: Disposable Cisco-only worker run `eddb0e0b-26b1-4b9c-b08d-679413905795` completed after `index.json` returned `404` and the connector fell back cleanly to `changes.csv` `200`; the run persisted no duplicate raw documents and preserved `vex.connector_states.last_updated = 2026-04-22 07:25:53.884862+00`.
- Artifacts: `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-002/tier0-source-check.json`, `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-002/tier1-build-check.json`, `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-002/tier2-integration-check.json`
- Further re-verified on 2026-04-22 via `run-003` for the Oracle CSAF provider path.
- Tier 0: Oracle CSAF source files and their targeted test classes were confirmed present under `src/Concelier/...`.
- Tier 1: Targeted xUnit helper runs passed for `OracleCatalogLoaderTests` (3/3) and `OracleCsafConnectorTests` (4/4), covering cache/offline catalog loading, checksum mismatch handling, missing historical documents, and empty-digest checkpoint behavior.
- Tier 2d: Disposable Oracle-only worker run `5fa3edb0-a3af-4ec1-b9bb-dce9baa32d09` completed successfully against the live Oracle RSS catalog. The connector skipped multiple historical `404` CSAF URIs without failing the provider, persisted no duplicate raw documents, and preserved `vex.connector_states.last_updated = 2026-04-22 06:46:15.261191+00`.
- Artifacts: `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-003/tier0-source-check.json`, `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-003/tier1-build-check.json`, `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-003/tier2-integration-check.json`