# Concelier Connectors

This index is the authoritative operator-facing inventory for the Concelier advisory source catalog and the linked Excititor VEX provider control plane.

## Current control-plane counts

- Advisory source catalog definitions: `78`
- Advisory sources with built-in runnable fetch pipelines on this host: `31`
- Advisory sources with stored connector configuration exposed through both Web UI and CLI: `6`
- Excititor VEX providers in the provider catalog: `7`

Operator entry points:

- Advisory source catalog: `Ops -> Integrations -> Advisory & VEX Sources`
- Advisory source stored configuration: source card -> `Stored Connector Configuration`
- Advisory source CLI path: `stella db connectors configure <source-id>`
- VEX provider catalog: `Ops -> Integrations -> Advisory & VEX Sources -> VEX Providers`
- VEX provider CLI path: `stella excititor list-providers`, `show-provider`, `enable-provider`, `disable-provider`, `run-provider`, `update-provider`

Related docs:

- Stored advisory credentials and endpoint overrides: `docs/modules/concelier/operations/source-credentials.md`
- Excititor provider control plane: `docs/modules/excititor/operations/provider-control-plane.md`
- Connector runbooks: `docs/modules/concelier/operations/connectors/`

## Readiness model

Advisory sources and VEX providers preserve operator intent separately from runtime readiness.

Advisory sources return:

- `enabled`: persisted operator intent
- `readiness` and `syncState`: one of `ready`, `blocked`, `disabled`, or `unsupported`

Excititor VEX providers return:

- `enabled`: persisted operator intent
- `readiness` and `syncState`: one of `ready`, `blocked`, `disabled`, or `planned`

Interpretation:

- `blocked` means the operator wants the connector enabled, but the runtime is intentionally holding it until required configuration or retry cooldown conditions clear.
- `unsupported` means the advisory source exists in the catalog but this host does not register a runnable `source:<id>:fetch` pipeline.
- `planned` means the VEX provider exists in the provider catalog but the current Excititor host has not registered a runnable connector for it.

Canonical runtime note:

- Advisory source IDs come from `src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceDefinitions.cs`
- Advisory source aliases are normalized by `src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceKeyAliases.cs`
- Advisory source runnable pipelines come from `src/Concelier/StellaOps.Concelier.WebService/Extensions/JobRegistrationExtensions.cs`
- Excititor provider readiness comes from `src/Concelier/StellaOps.Excititor.WebService/Services/VexProviderManagementService.cs`

## Advisory source inventory

Legend:

- `Built-in runnable = yes` means this Concelier WebService registers a `source:<id>:fetch` job.
- `Stored config = UI+CLI` means operators can persist credentials or endpoint overrides through both the Web UI and `stella db connectors configure`.
- `Stored config = none` means no persisted connector-specific source configuration schema exists today on the advisory side.

| Category | ID | Display name | Default enabled | Requires auth | Built-in runnable | Stored config |
| --- | --- | --- | --- | --- | --- | --- |
| Cert | auscert | AusCERT (Australia) | false | false | yes | none |
| Cert | cccs | CCCS (Canada) | true | false | yes | none |
| Cert | cert-at | CERT.at (Austria) | true | false | no | none |
| Cert | cert-be | CERT.be (Belgium) | true | false | no | none |
| Cert | cert-cc | CERT/CC | true | false | yes | none |
| Cert | cert-ch | NCSC-CH (Switzerland) | true | false | no | none |
| Cert | cert-de | CERT-Bund (Germany) | true | false | yes | none |
| Cert | cert-eu | CERT-EU | true | false | no | none |
| Cert | cert-fr | CERT-FR | true | false | yes | none |
| Cert | cert-in | CERT-In (India) | false | false | yes | none |
| Cert | cert-pl | CERT.PL (Poland) | false | false | no | none |
| Cert | cert-ua | CERT-UA (Ukraine) | false | false | no | none |
| Cert | fstec-bdu | FSTEC BDU (Russia) | false | false | yes | none |
| Cert | jpcert | JPCERT/CC (Japan) | true | false | yes | none |
| Cert | krcert | KrCERT/CC (South Korea) | false | false | yes | none |
| Cert | nkcki | NKCKI (Russia) | false | false | yes | none |
| Cert | us-cert | CISA (US-CERT) | true | false | yes | none |
| Container | chainguard | Chainguard Advisories | true | false | no | none |
| Container | docker-official | Docker Official CVEs | true | false | no | none |
| Csaf | csaf | CSAF Aggregator | true | false | no | none |
| Csaf | csaf-tc | CSAF TC Trusted Publishers | true | false | no | none |
| Csaf | vex | VEX Hub | true | false | no | none |
| Distribution | alpine | Alpine Security | true | false | yes | none |
| Distribution | arch | Arch Security | true | false | no | none |
| Distribution | astra | Astra Linux Security | false | false | no | none |
| Distribution | centos | CentOS Security | true | false | no | none |
| Distribution | debian | Debian Security | true | false | yes | none |
| Distribution | fedora | Fedora Security | true | false | no | none |
| Distribution | gentoo | Gentoo Security | true | false | no | none |
| Distribution | rhel | RHEL Security | true | false | no | none |
| Distribution | suse | SUSE Security | true | false | yes | none |
| Distribution | ubuntu | Ubuntu Security | true | false | yes | none |
| Ecosystem | crates | Crates.io Advisories | false | false | no | none |
| Ecosystem | go | Go Advisories | false | false | no | none |
| Ecosystem | hex | Hex.pm Advisories | false | false | no | none |
| Ecosystem | maven | Maven Advisories | false | false | no | none |
| Ecosystem | npm | npm Advisories | false | false | no | none |
| Ecosystem | nuget | NuGet Advisories | false | true | no | none |
| Ecosystem | packagist | Packagist Advisories | false | false | no | none |
| Ecosystem | pypi | PyPI Advisories | false | false | no | none |
| Ecosystem | rubygems | RubyGems Advisories | false | false | no | none |
| Exploit | exploitdb | Exploit-DB | false | false | no | none |
| Exploit | metasploit | Metasploit Modules | false | false | no | none |
| Exploit | poc-github | PoC-in-GitHub | false | true | no | none |
| Hardware | amd | AMD Security | false | false | no | none |
| Hardware | arm | ARM Security Center | false | false | no | none |
| Hardware | intel | Intel PSIRT | false | false | no | none |
| Ics | kaspersky-ics | Kaspersky ICS-CERT | false | false | yes | none |
| Ics | siemens | Siemens ProductCERT | false | false | no | none |
| Mirror | stella-mirror | StellaOps Mirror | false | false | yes | none |
| PackageManager | bundler-audit | Ruby Advisory DB | false | false | no | none |
| PackageManager | govuln | Go Vuln DB | false | false | no | none |
| PackageManager | pypa | PyPA Advisory DB | false | false | no | none |
| PackageManager | rustsec | RustSec Advisory DB | false | false | no | none |
| Primary | cve | CVE.org (MITRE) | true | false | yes | none |
| Primary | ghsa | GitHub Security Advisories | true | true | yes | UI+CLI |
| Primary | nvd | NVD (NIST) | true | false | yes | none |
| Primary | osv | OSV (Google) | true | false | yes | none |
| Threat | epss | EPSS (FIRST) | true | false | yes | none |
| Threat | kev | CISA KEV | true | false | yes | none |
| Threat | mitre-attack | MITRE ATT&CK | false | false | no | none |
| Threat | mitre-d3fend | MITRE D3FEND | false | false | no | none |
| Vendor | adobe | Adobe Security | true | false | yes | UI+CLI |
| Vendor | amazon | Amazon Linux Security | true | false | no | none |
| Vendor | apple | Apple Security | true | false | yes | none |
| Vendor | aws | AWS Security Bulletins | true | false | no | none |
| Vendor | azure | Azure Security Advisories | true | false | no | none |
| Vendor | chromium | Chromium Security | true | false | yes | UI+CLI |
| Vendor | cisco | Cisco Security | true | true | yes | UI+CLI |
| Vendor | fortinet | Fortinet PSIRT | true | false | no | none |
| Vendor | gcp | GCP Security Bulletins | true | false | no | none |
| Vendor | google | Google Security | true | false | no | none |
| Vendor | juniper | Juniper Security | true | false | no | none |
| Vendor | microsoft | Microsoft Security | true | true | yes | UI+CLI |
| Vendor | oracle | Oracle Security | true | false | yes | UI+CLI |
| Vendor | paloalto | Palo Alto Security | true | false | no | none |
| Vendor | redhat | Red Hat Security | true | false | yes | none |
| Vendor | vmware | VMware Security | true | false | yes | none |

## Stored advisory configuration coverage

The current stored configuration schema covers these advisory sources:

- `ghsa`: GitHub API token
- `cisco`: OAuth client ID and client secret
- `microsoft`: tenant ID, client ID, and client secret
- `oracle`: calendar and advisory URI overrides
- `adobe`: bulletin index URI overrides
- `chromium`: feed URI override

Everything else in the advisory catalog is either:

- public and currently fieldless on the advisory side, or
- cataloged but not wired into the built-in runnable WebService job surface yet

## Verification state for this inventory

Control-plane evidence reverified in Sprint `20260422_004`:

- Advisory source catalog and status API coverage confirms built-in runnable vs catalog-only behavior for representative connectors including `nvd`, `osv`, `cccs`, `cert-cc`, `krcert`, `microsoft`, `ghsa`, `cisco`, `oracle`, `adobe`, `chromium`, and catalog-only `npm`
- Advisory stored configuration persistence is covered for `ghsa`, `adobe`, and `chromium`
- Excititor provider management endpoints are covered by targeted backend tests and linked UI/CLI work is documented in `docs/modules/excititor/operations/provider-control-plane.md`

This page does not claim that all 78 advisory connectors were end-to-end re-ingested in this sprint. It records catalog truth, built-in host wiring, stored configuration coverage, and the specific control-plane verification completed during this implementation slice.