stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
dd98d6c3f6c80c4e04cddb4a4427f077ab6d19d4
git.stella-ops.org/docs/modules/concelier/connectors.md
master 3871732765 feat(excititor+cli+web): VEX provider control plane — CLI + Web extensions (SPRINT_20260422_004) 
Continues the SPRINT_20260422_004_Concelier_full_connector_control_plane
feature stream started in commit 5c1b59580 (Excititor provider management
endpoints + contracts + service + tests). Adds the CLI + Web surfaces on
top of that backend.

CLI (src/Cli/**):
- CommandHandlers + BackendOperationsClient extended with provider
  management calls
- ExcititorProviderSummary model added to the CLI's service models
- NonCoreCliCommandModule wires the new commands; tests updated
- TASKS.md entries synced

Web console (src/Web/StellaOps.Web/**):
- New vex-provider-catalog.component + vex-provider-management.api client
- advisory-source-catalog + advisory-vex-route-helpers extended to route
  users to the new VEX provider surface
- integration-hub.routes.ts registers the new route
- security-disposition-page.component.ts updated for the flow

Excititor/Concelier docs + contracts:
- docs/modules/excititor/operations/provider-control-plane.md — operator
  guide for the new control plane
- docs/modules/excititor/README.md + docs/modules/concelier/{README,
  connectors}.md — cross-links + refs
- ConfiguredAdvisorySourceService.cs — additional provider plumbing
- StellaOps.Excititor.WebService/TASKS.md synced

Sprint doc (docs/implplan/SPRINT_20260422_004_*.md) reflects the
in-flight progress.

This is external-stream work picked up during the 2026-04-22 session's
closeout — bundling it now so the working tree is clean and main stays
in sync with local feature-branch state.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 19:24:49 +03:00

167 lines
9.8 KiB
Markdown
Raw Blame History

# Concelier Connectors
This index is the authoritative operator-facing inventory for the Concelier advisory source catalog and the linked Excititor VEX provider control plane.
## Current control-plane counts
- Advisory source catalog definitions: `78`
- Advisory sources with built-in runnable fetch pipelines on this host: `31`
- Advisory sources with stored connector configuration exposed through both Web UI and CLI: `6`
- Excititor VEX providers in the provider catalog: `7`
Operator entry points:
- Advisory source catalog: `Ops -> Integrations -> Advisory & VEX Sources`
- Advisory source stored configuration: source card -> `Stored Connector Configuration`
- Advisory source CLI path: `stella db connectors configure <source-id>`
- VEX provider catalog: `Ops -> Integrations -> Advisory & VEX Sources -> VEX Providers`
- VEX provider CLI path: `stella excititor list-providers`, `show-provider`, `enable-provider`, `disable-provider`, `run-provider`, `update-provider`
Related docs:
- Stored advisory credentials and endpoint overrides: `docs/modules/concelier/operations/source-credentials.md`
- Excititor provider control plane: `docs/modules/excititor/operations/provider-control-plane.md`
- Connector runbooks: `docs/modules/concelier/operations/connectors/`
## Readiness model
Advisory sources and VEX providers preserve operator intent separately from runtime readiness.
Advisory sources return:
- `enabled`: persisted operator intent
- `readiness` and `syncState`: one of `ready`, `blocked`, `disabled`, or `unsupported`
Excititor VEX providers return:
- `enabled`: persisted operator intent
- `readiness` and `syncState`: one of `ready`, `blocked`, `disabled`, or `planned`
Interpretation:
- `blocked` means the operator wants the connector enabled, but the runtime is intentionally holding it until required configuration or retry cooldown conditions clear.
- `unsupported` means the advisory source exists in the catalog but this host does not register a runnable `source:<id>:fetch` pipeline.
- `planned` means the VEX provider exists in the provider catalog but the current Excititor host has not registered a runnable connector for it.
Canonical runtime note:
- Advisory source IDs come from `src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceDefinitions.cs`
- Advisory source aliases are normalized by `src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceKeyAliases.cs`
- Advisory source runnable pipelines come from `src/Concelier/StellaOps.Concelier.WebService/Extensions/JobRegistrationExtensions.cs`
- Excititor provider readiness comes from `src/Concelier/StellaOps.Excititor.WebService/Services/VexProviderManagementService.cs`
## Advisory source inventory
Legend:
- `Built-in runnable = yes` means this Concelier WebService registers a `source:<id>:fetch` job.
- `Stored config = UI+CLI` means operators can persist credentials or endpoint overrides through both the Web UI and `stella db connectors configure`.
- `Stored config = none` means no persisted connector-specific source configuration schema exists today on the advisory side.
| Category | ID | Display name | Default enabled | Requires auth | Built-in runnable | Stored config |
| --- | --- | --- | --- | --- | --- | --- |
| Cert | auscert | AusCERT (Australia) | false | false | yes | none |
| Cert | cccs | CCCS (Canada) | true | false | yes | none |
| Cert | cert-at | CERT.at (Austria) | true | false | no | none |
| Cert | cert-be | CERT.be (Belgium) | true | false | no | none |
| Cert | cert-cc | CERT/CC | true | false | yes | none |
| Cert | cert-ch | NCSC-CH (Switzerland) | true | false | no | none |
| Cert | cert-de | CERT-Bund (Germany) | true | false | yes | none |
| Cert | cert-eu | CERT-EU | true | false | no | none |
| Cert | cert-fr | CERT-FR | true | false | yes | none |
| Cert | cert-in | CERT-In (India) | false | false | yes | none |
| Cert | cert-pl | CERT.PL (Poland) | false | false | no | none |
| Cert | cert-ua | CERT-UA (Ukraine) | false | false | no | none |
| Cert | fstec-bdu | FSTEC BDU (Russia) | false | false | yes | none |
| Cert | jpcert | JPCERT/CC (Japan) | true | false | yes | none |
| Cert | krcert | KrCERT/CC (South Korea) | false | false | yes | none |
| Cert | nkcki | NKCKI (Russia) | false | false | yes | none |
| Cert | us-cert | CISA (US-CERT) | true | false | yes | none |
| Container | chainguard | Chainguard Advisories | true | false | no | none |
| Container | docker-official | Docker Official CVEs | true | false | no | none |
| Csaf | csaf | CSAF Aggregator | true | false | no | none |
| Csaf | csaf-tc | CSAF TC Trusted Publishers | true | false | no | none |
| Csaf | vex | VEX Hub | true | false | no | none |
| Distribution | alpine | Alpine Security | true | false | yes | none |
| Distribution | arch | Arch Security | true | false | no | none |
| Distribution | astra | Astra Linux Security | false | false | no | none |
| Distribution | centos | CentOS Security | true | false | no | none |
| Distribution | debian | Debian Security | true | false | yes | none |
| Distribution | fedora | Fedora Security | true | false | no | none |
| Distribution | gentoo | Gentoo Security | true | false | no | none |
| Distribution | rhel | RHEL Security | true | false | no | none |
| Distribution | suse | SUSE Security | true | false | yes | none |
| Distribution | ubuntu | Ubuntu Security | true | false | yes | none |
| Ecosystem | crates | Crates.io Advisories | false | false | no | none |
| Ecosystem | go | Go Advisories | false | false | no | none |
| Ecosystem | hex | Hex.pm Advisories | false | false | no | none |
| Ecosystem | maven | Maven Advisories | false | false | no | none |
| Ecosystem | npm | npm Advisories | false | false | no | none |
| Ecosystem | nuget | NuGet Advisories | false | true | no | none |
| Ecosystem | packagist | Packagist Advisories | false | false | no | none |
| Ecosystem | pypi | PyPI Advisories | false | false | no | none |
| Ecosystem | rubygems | RubyGems Advisories | false | false | no | none |
| Exploit | exploitdb | Exploit-DB | false | false | no | none |
| Exploit | metasploit | Metasploit Modules | false | false | no | none |
| Exploit | poc-github | PoC-in-GitHub | false | true | no | none |
| Hardware | amd | AMD Security | false | false | no | none |
| Hardware | arm | ARM Security Center | false | false | no | none |
| Hardware | intel | Intel PSIRT | false | false | no | none |
| Ics | kaspersky-ics | Kaspersky ICS-CERT | false | false | yes | none |
| Ics | siemens | Siemens ProductCERT | false | false | no | none |
| Mirror | stella-mirror | StellaOps Mirror | false | false | yes | none |
| PackageManager | bundler-audit | Ruby Advisory DB | false | false | no | none |
| PackageManager | govuln | Go Vuln DB | false | false | no | none |
| PackageManager | pypa | PyPA Advisory DB | false | false | no | none |
| PackageManager | rustsec | RustSec Advisory DB | false | false | no | none |
| Primary | cve | CVE.org (MITRE) | true | false | yes | none |
| Primary | ghsa | GitHub Security Advisories | true | true | yes | UI+CLI |
| Primary | nvd | NVD (NIST) | true | false | yes | none |
| Primary | osv | OSV (Google) | true | false | yes | none |
| Threat | epss | EPSS (FIRST) | true | false | yes | none |
| Threat | kev | CISA KEV | true | false | yes | none |
| Threat | mitre-attack | MITRE ATT&CK | false | false | no | none |
| Threat | mitre-d3fend | MITRE D3FEND | false | false | no | none |
| Vendor | adobe | Adobe Security | true | false | yes | UI+CLI |
| Vendor | amazon | Amazon Linux Security | true | false | no | none |
| Vendor | apple | Apple Security | true | false | yes | none |
| Vendor | aws | AWS Security Bulletins | true | false | no | none |
| Vendor | azure | Azure Security Advisories | true | false | no | none |
| Vendor | chromium | Chromium Security | true | false | yes | UI+CLI |
| Vendor | cisco | Cisco Security | true | true | yes | UI+CLI |
| Vendor | fortinet | Fortinet PSIRT | true | false | no | none |
| Vendor | gcp | GCP Security Bulletins | true | false | no | none |
| Vendor | google | Google Security | true | false | no | none |
| Vendor | juniper | Juniper Security | true | false | no | none |
| Vendor | microsoft | Microsoft Security | true | true | yes | UI+CLI |
| Vendor | oracle | Oracle Security | true | false | yes | UI+CLI |
| Vendor | paloalto | Palo Alto Security | true | false | no | none |
| Vendor | redhat | Red Hat Security | true | false | yes | none |
| Vendor | vmware | VMware Security | true | false | yes | none |
## Stored advisory configuration coverage
The current stored configuration schema covers these advisory sources:
- `ghsa`: GitHub API token
- `cisco`: OAuth client ID and client secret
- `microsoft`: tenant ID, client ID, and client secret
- `oracle`: calendar and advisory URI overrides
- `adobe`: bulletin index URI overrides
- `chromium`: feed URI override
Everything else in the advisory catalog is either:
- public and currently fieldless on the advisory side, or
- cataloged but not wired into the built-in runnable WebService job surface yet
## Verification state for this inventory
Control-plane evidence reverified in Sprint `20260422_004`:
- Advisory source catalog and status API coverage confirms built-in runnable vs catalog-only behavior for representative connectors including `nvd`, `osv`, `cccs`, `cert-cc`, `krcert`, `microsoft`, `ghsa`, `cisco`, `oracle`, `adobe`, `chromium`, and catalog-only `npm`
- Advisory stored configuration persistence is covered for `ghsa`, `adobe`, and `chromium`
- Excititor provider management endpoints are covered by targeted backend tests and linked UI/CLI work is documented in `docs/modules/excititor/operations/provider-control-plane.md`
This page does not claim that all 78 advisory connectors were end-to-end re-ingested in this sprint. It records catalog truth, built-in host wiring, stored configuration coverage, and the specific control-plane verification completed during this implementation slice.
Reference in New Issue View Git Blame Copy Permalink