git.stella-ops.org

Files

master f57b18b6e5 feat(concelier,excititor): MVP connector wiring — 9→31 advisory sources, 4→7 VEX providers

Closes SPRINT_20260422_009 (archived). Lifts backend-wired connector
coverage from 13 to 38 (MVP ~90%) by seeding the 19 fully-implemented
connectors the 2026-04-22 gap survey identified.

Concelier vuln.sources +22 rows (embedded migration
011_seed_connector_sources.sql, INSERT ... ON CONFLICT DO NOTHING):
- Primary: nvd, cve, epss, kev
- Vendor: oracle, adobe, apple, chromium (public CSAF/bulletin feeds)
- CERT: cert-fr, cert-de (cert-bund), cert-cc, cert-in, cccs, us-cert,
  jpcert, krcert (KISA aliased)
- ICS: kaspersky-ics
- Regional: fstec-bdu (RU-BDU), nkcki (RU-NKCKI)
- Credentialed (seeded enabled=false, gated by SRC-CREDS-005 blocked-
  readiness contract): ghsa, microsoft, cisco.

Excititor vex.providers +3 rows (embedded migration
008_seed_csaf_providers.sql, MSRC + SUSE Rancher + OCI OpenVEX all
seeded enabled=false; operators flip via VexProviderConfigurationService
once credentials land). Existing excititor:{cisco, oracle, redhat,
ubuntu} untouched — Option B naming kept.

WIRE-MVP-002 finding: stale premise. All 6 Excititor CSAF connectors
already had ServiceCollectionExtensions in their
DependencyInjection/ folders and were already registered in Excititor
Worker + WebService Program.cs (Excititor uses direct registration, not
Concelier's IDependencyInjectionRoutine plugin pattern). No new DI
stubs needed; confirmed by sweep.

Connectivity verification (stellaops-cli sources check against 19
newly-seeded non-credentialed sources):
- 17/19 HEALTHY: nvd, cve, epss, kev, oracle, apple, cert-fr, cert-de,
  cert-cc, cert-in, cccs, us-cert, jpcert, krcert, kaspersky-ics,
  fstec-bdu, nkcki (latencies 228-3544 ms).
- 2 probe-level quirks (not URL rot, rows stay enabled=true):
  - adobe: 30s timeout on helpx.adobe.com — suspect geo/anti-bot on
    dev host; connector fetch may still work via job path.
  - chromium: HTTP 302 on chromereleases.googleblog.com/atom.xml — CLI
    probe doesn't follow redirects; connector fetch follows them.

Ingest verification deferred to UI-driven db fetch (CLI can't mint
aoc:verify scope — known asymmetry documented in connector-setup-guide).

Evidence: docs/qa/connector-mvp-wiring-20260422/EVIDENCE.md with full
probe results.

Sprint SPRINT_20260422_009 archived — all 4 tasks DONE.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-22 23:53:30 +03:00

authority-default-tenant-20260422

feat(authority): seed default + installation tenants via migration (SPRINT_20260422_005)

2026-04-22 17:41:23 +03:00

connector-mvp-wiring-20260422

feat(concelier,excititor): MVP connector wiring — 9→31 advisory sources, 4→7 VEX providers

2026-04-22 23:53:30 +03:00

feature-checks

test(web): behavioral QA of Evidence/Ops/Setup/Admin surfaces (SPRINT_20260421_007)

2026-04-22 17:19:51 +03:00

features

…