17613acf57
- Exported BulkTriageViewComponent and its related types from findings module. - Created a new accessibility test suite for score components using axe-core. - Introduced design tokens for score components to standardize styling. - Enhanced score breakdown popover for mobile responsiveness with drag handle. - Added date range selector functionality to score history chart component. - Implemented unit tests for date range selector in score history chart. - Created Storybook stories for bulk triage view and score history chart with date range selector.
StellaOps Concelier
Concelier ingests signed advisories from 32 advisory connectors and converts them into immutable observations plus linksets under the Aggregation-Only Contract (AOC).
Advisory Sources (32 connectors):
- National CERTs (8): ACSC (Australia), CCCS (Canada), CERT-Bund (Germany), CERT-CC (US), CERT-FR (France), CERT-IN (India), JVN (Japan), KISA (Korea)
- OS Distros (5): Alpine SecDB, Debian Security Tracker, RedHat OVAL, SUSE OVAL, Ubuntu USN
- Vendors (7): Apple, Adobe, Chromium, Cisco PSIRT, Microsoft MSRC, Oracle, VMware
- Standards (5): CVE, NVD, GHSA (GitHub), OSV, EPSS v4
- Threat Intel (3): KEV (CISA Exploited Vulns), CISA ICS, Kaspersky ICS
- Regional (3): Russia BDU, Russia NKCKI, Plus regional mirrors
- Internal (1): StellaOps internal mirror
Responsibilities
- Fetch and normalise vulnerability advisories via restart-time connectors.
- Persist observations and correlation linksets without precedence decisions.
- Emit deterministic exports (JSON, Trivy DB) for downstream policy evaluation.
- Coordinate offline/air-gap updates via Offline Kit bundles.
- Serve paragraph-anchored advisory chunks for Advisory AI consumers without breaking the Aggregation-Only Contract.
Key components
StellaOps.Concelier.WebServiceorchestration host.- Connector libraries under
StellaOps.Concelier.Connector.*. - Exporter packages (
StellaOps.Concelier.Exporter.*).
Recent updates
- 2025-11-07: Paragraph-anchored
/advisories/{advisoryKey}/chunksendpoint shipped for Advisory AI paragraph retrieval. Details and rollout notes live in../../implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md.
Integrations & dependencies
- PostgreSQL (schema
vuln) for canonical observations and schedules. - Policy Engine / Export Center / CLI for evidence consumption.
- Notify and UI for advisory deltas.
Operational notes
- Connector runbooks in ./operations/connectors/.
- Mirror operations for Offline Kit parity.
- Grafana dashboards for connector health.
- Authority toggle rollout (2025-10-22 update). Follow the phased table and audit checklist in
../../10_CONCELIER_CLI_QUICKSTART.mdwhen enablingauthority.enabled/authority.allowAnonymousFallback, and cross-check the refreshed./operations/authority-audit-runbook.mdbefore enforcement.
Related resources
- ./operations/conflict-resolution.md
- ./operations/mirror.md
- ./operations/authority-audit-runbook.md
- ../../10_CONCELIER_CLI_QUICKSTART.md (authority integration timeline & smoke tests)
Backlog references
- DOCS-LNM-22-001, DOCS-LNM-22-007 in ../../TASKS.md.
- Connector-specific TODOs in
src/Concelier/**/TASKS.md.
Epic alignment
- Epic 1 – AOC enforcement: uphold raw observation invariants, provenance requirements, linkset-only enrichment, and AOC verifier guardrails across every connector.
- Epic 10 – Export Center: expose deterministic advisory exports and metadata required by JSON/Trivy/mirror bundles.
Implementation Status
Delivery Phases:
- Phase 1 (Guardrails & schema) – PostgreSQL validators, AOCWriteGuard interceptor, deterministic linkset builders operational
- Phase 2 (API & observability) – Ingestion/verification endpoints with Authority scopes, telemetry, Offline Kit packaging
- Phase 3 (Experience polish) – CLI/Console affordances, Export Center hand-off metadata, CI enforcement
Acceptance Criteria:
- PostgreSQL validators and runtime guards reject forbidden fields and missing provenance with ERR_AOC_00x codes
- Linksets and supersedes chains deterministic; identical payloads yield byte-identical documents
- CLI
stella aoc verifyexits non-zero on violations, zero on clean datasets - Export Center consumes advisory datasets without legacy normalized fields
- CI fails on lint violations or guard test regressions
Key Risks & Mitigations:
- Collector drift: guard middleware + CI lint + schema validation; RFC required for linkset changes
- Migration complexity: staged cutover with backup copies, temporary views for Policy Engine parity
- Performance overhead: guard remains O(number of keys), index review for insert latency targets
- Tenancy leakage: tenant required in schema, Authority claims enforced, observability alerts
Recent Milestones:
- Sprint 110 attestation chain validated, evidence bundle tests green
- Link-Not-Merge cache and console consumption docs frozen
- Observation events transport reviewed, NATS/air-gap guidance updated