3871732765
Continues the SPRINT_20260422_004_Concelier_full_connector_control_plane
feature stream started in commit 5c1b59580 (Excititor provider management
endpoints + contracts + service + tests). Adds the CLI + Web surfaces on
top of that backend.
CLI (src/Cli/**):
- CommandHandlers + BackendOperationsClient extended with provider
management calls
- ExcititorProviderSummary model added to the CLI's service models
- NonCoreCliCommandModule wires the new commands; tests updated
- TASKS.md entries synced
Web console (src/Web/StellaOps.Web/**):
- New vex-provider-catalog.component + vex-provider-management.api client
- advisory-source-catalog + advisory-vex-route-helpers extended to route
users to the new VEX provider surface
- integration-hub.routes.ts registers the new route
- security-disposition-page.component.ts updated for the flow
Excititor/Concelier docs + contracts:
- docs/modules/excititor/operations/provider-control-plane.md — operator
guide for the new control plane
- docs/modules/excititor/README.md + docs/modules/concelier/{README,
connectors}.md — cross-links + refs
- ConfiguredAdvisorySourceService.cs — additional provider plumbing
- StellaOps.Excititor.WebService/TASKS.md synced
Sprint doc (docs/implplan/SPRINT_20260422_004_*.md) reflects the
in-flight progress.
This is external-stream work picked up during the 2026-04-22 session's
closeout — bundling it now so the working tree is clean and main stays
in sync with local feature-branch state.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
9.8 KiB
9.8 KiB
Concelier Connectors
This index is the authoritative operator-facing inventory for the Concelier advisory source catalog and the linked Excititor VEX provider control plane.
Current control-plane counts
- Advisory source catalog definitions:
78 - Advisory sources with built-in runnable fetch pipelines on this host:
31 - Advisory sources with stored connector configuration exposed through both Web UI and CLI:
6 - Excititor VEX providers in the provider catalog:
7
Operator entry points:
- Advisory source catalog:
Ops -> Integrations -> Advisory & VEX Sources - Advisory source stored configuration: source card ->
Stored Connector Configuration - Advisory source CLI path:
stella db connectors configure <source-id> - VEX provider catalog:
Ops -> Integrations -> Advisory & VEX Sources -> VEX Providers - VEX provider CLI path:
stella excititor list-providers,show-provider,enable-provider,disable-provider,run-provider,update-provider
Related docs:
- Stored advisory credentials and endpoint overrides:
docs/modules/concelier/operations/source-credentials.md - Excititor provider control plane:
docs/modules/excititor/operations/provider-control-plane.md - Connector runbooks:
docs/modules/concelier/operations/connectors/
Readiness model
Advisory sources and VEX providers preserve operator intent separately from runtime readiness.
Advisory sources return:
enabled: persisted operator intentreadinessandsyncState: one ofready,blocked,disabled, orunsupported
Excititor VEX providers return:
enabled: persisted operator intentreadinessandsyncState: one ofready,blocked,disabled, orplanned
Interpretation:
blockedmeans the operator wants the connector enabled, but the runtime is intentionally holding it until required configuration or retry cooldown conditions clear.unsupportedmeans the advisory source exists in the catalog but this host does not register a runnablesource:<id>:fetchpipeline.plannedmeans the VEX provider exists in the provider catalog but the current Excititor host has not registered a runnable connector for it.
Canonical runtime note:
- Advisory source IDs come from
src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceDefinitions.cs - Advisory source aliases are normalized by
src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceKeyAliases.cs - Advisory source runnable pipelines come from
src/Concelier/StellaOps.Concelier.WebService/Extensions/JobRegistrationExtensions.cs - Excititor provider readiness comes from
src/Concelier/StellaOps.Excititor.WebService/Services/VexProviderManagementService.cs
Advisory source inventory
Legend:
Built-in runnable = yesmeans this Concelier WebService registers asource:<id>:fetchjob.Stored config = UI+CLImeans operators can persist credentials or endpoint overrides through both the Web UI andstella db connectors configure.Stored config = nonemeans no persisted connector-specific source configuration schema exists today on the advisory side.
| Category | ID | Display name | Default enabled | Requires auth | Built-in runnable | Stored config |
|---|---|---|---|---|---|---|
| Cert | auscert | AusCERT (Australia) | false | false | yes | none |
| Cert | cccs | CCCS (Canada) | true | false | yes | none |
| Cert | cert-at | CERT.at (Austria) | true | false | no | none |
| Cert | cert-be | CERT.be (Belgium) | true | false | no | none |
| Cert | cert-cc | CERT/CC | true | false | yes | none |
| Cert | cert-ch | NCSC-CH (Switzerland) | true | false | no | none |
| Cert | cert-de | CERT-Bund (Germany) | true | false | yes | none |
| Cert | cert-eu | CERT-EU | true | false | no | none |
| Cert | cert-fr | CERT-FR | true | false | yes | none |
| Cert | cert-in | CERT-In (India) | false | false | yes | none |
| Cert | cert-pl | CERT.PL (Poland) | false | false | no | none |
| Cert | cert-ua | CERT-UA (Ukraine) | false | false | no | none |
| Cert | fstec-bdu | FSTEC BDU (Russia) | false | false | yes | none |
| Cert | jpcert | JPCERT/CC (Japan) | true | false | yes | none |
| Cert | krcert | KrCERT/CC (South Korea) | false | false | yes | none |
| Cert | nkcki | NKCKI (Russia) | false | false | yes | none |
| Cert | us-cert | CISA (US-CERT) | true | false | yes | none |
| Container | chainguard | Chainguard Advisories | true | false | no | none |
| Container | docker-official | Docker Official CVEs | true | false | no | none |
| Csaf | csaf | CSAF Aggregator | true | false | no | none |
| Csaf | csaf-tc | CSAF TC Trusted Publishers | true | false | no | none |
| Csaf | vex | VEX Hub | true | false | no | none |
| Distribution | alpine | Alpine Security | true | false | yes | none |
| Distribution | arch | Arch Security | true | false | no | none |
| Distribution | astra | Astra Linux Security | false | false | no | none |
| Distribution | centos | CentOS Security | true | false | no | none |
| Distribution | debian | Debian Security | true | false | yes | none |
| Distribution | fedora | Fedora Security | true | false | no | none |
| Distribution | gentoo | Gentoo Security | true | false | no | none |
| Distribution | rhel | RHEL Security | true | false | no | none |
| Distribution | suse | SUSE Security | true | false | yes | none |
| Distribution | ubuntu | Ubuntu Security | true | false | yes | none |
| Ecosystem | crates | Crates.io Advisories | false | false | no | none |
| Ecosystem | go | Go Advisories | false | false | no | none |
| Ecosystem | hex | Hex.pm Advisories | false | false | no | none |
| Ecosystem | maven | Maven Advisories | false | false | no | none |
| Ecosystem | npm | npm Advisories | false | false | no | none |
| Ecosystem | nuget | NuGet Advisories | false | true | no | none |
| Ecosystem | packagist | Packagist Advisories | false | false | no | none |
| Ecosystem | pypi | PyPI Advisories | false | false | no | none |
| Ecosystem | rubygems | RubyGems Advisories | false | false | no | none |
| Exploit | exploitdb | Exploit-DB | false | false | no | none |
| Exploit | metasploit | Metasploit Modules | false | false | no | none |
| Exploit | poc-github | PoC-in-GitHub | false | true | no | none |
| Hardware | amd | AMD Security | false | false | no | none |
| Hardware | arm | ARM Security Center | false | false | no | none |
| Hardware | intel | Intel PSIRT | false | false | no | none |
| Ics | kaspersky-ics | Kaspersky ICS-CERT | false | false | yes | none |
| Ics | siemens | Siemens ProductCERT | false | false | no | none |
| Mirror | stella-mirror | StellaOps Mirror | false | false | yes | none |
| PackageManager | bundler-audit | Ruby Advisory DB | false | false | no | none |
| PackageManager | govuln | Go Vuln DB | false | false | no | none |
| PackageManager | pypa | PyPA Advisory DB | false | false | no | none |
| PackageManager | rustsec | RustSec Advisory DB | false | false | no | none |
| Primary | cve | CVE.org (MITRE) | true | false | yes | none |
| Primary | ghsa | GitHub Security Advisories | true | true | yes | UI+CLI |
| Primary | nvd | NVD (NIST) | true | false | yes | none |
| Primary | osv | OSV (Google) | true | false | yes | none |
| Threat | epss | EPSS (FIRST) | true | false | yes | none |
| Threat | kev | CISA KEV | true | false | yes | none |
| Threat | mitre-attack | MITRE ATT&CK | false | false | no | none |
| Threat | mitre-d3fend | MITRE D3FEND | false | false | no | none |
| Vendor | adobe | Adobe Security | true | false | yes | UI+CLI |
| Vendor | amazon | Amazon Linux Security | true | false | no | none |
| Vendor | apple | Apple Security | true | false | yes | none |
| Vendor | aws | AWS Security Bulletins | true | false | no | none |
| Vendor | azure | Azure Security Advisories | true | false | no | none |
| Vendor | chromium | Chromium Security | true | false | yes | UI+CLI |
| Vendor | cisco | Cisco Security | true | true | yes | UI+CLI |
| Vendor | fortinet | Fortinet PSIRT | true | false | no | none |
| Vendor | gcp | GCP Security Bulletins | true | false | no | none |
| Vendor | Google Security | true | false | no | none | |
| Vendor | juniper | Juniper Security | true | false | no | none |
| Vendor | microsoft | Microsoft Security | true | true | yes | UI+CLI |
| Vendor | oracle | Oracle Security | true | false | yes | UI+CLI |
| Vendor | paloalto | Palo Alto Security | true | false | no | none |
| Vendor | redhat | Red Hat Security | true | false | yes | none |
| Vendor | vmware | VMware Security | true | false | yes | none |
Stored advisory configuration coverage
The current stored configuration schema covers these advisory sources:
ghsa: GitHub API tokencisco: OAuth client ID and client secretmicrosoft: tenant ID, client ID, and client secretoracle: calendar and advisory URI overridesadobe: bulletin index URI overrideschromium: feed URI override
Everything else in the advisory catalog is either:
- public and currently fieldless on the advisory side, or
- cataloged but not wired into the built-in runnable WebService job surface yet
Verification state for this inventory
Control-plane evidence reverified in Sprint 20260422_004:
- Advisory source catalog and status API coverage confirms built-in runnable vs catalog-only behavior for representative connectors including
nvd,osv,cccs,cert-cc,krcert,microsoft,ghsa,cisco,oracle,adobe,chromium, and catalog-onlynpm - Advisory stored configuration persistence is covered for
ghsa,adobe, andchromium - Excititor provider management endpoints are covered by targeted backend tests and linked UI/CLI work is documented in
docs/modules/excititor/operations/provider-control-plane.md
This page does not claim that all 78 advisory connectors were end-to-end re-ingested in this sprint. It records catalog truth, built-in host wiring, stored configuration coverage, and the specific control-plane verification completed during this implementation slice.