stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
dd98d6c3f6c80c4e04cddb4a4427f077ab6d19d4
git.stella-ops.org/docs/modules/excititor/operations/provider-control-plane.md
master 3871732765 feat(excititor+cli+web): VEX provider control plane — CLI + Web extensions (SPRINT_20260422_004) 
Continues the SPRINT_20260422_004_Concelier_full_connector_control_plane
feature stream started in commit 5c1b59580 (Excititor provider management
endpoints + contracts + service + tests). Adds the CLI + Web surfaces on
top of that backend.

CLI (src/Cli/**):
- CommandHandlers + BackendOperationsClient extended with provider
  management calls
- ExcititorProviderSummary model added to the CLI's service models
- NonCoreCliCommandModule wires the new commands; tests updated
- TASKS.md entries synced

Web console (src/Web/StellaOps.Web/**):
- New vex-provider-catalog.component + vex-provider-management.api client
- advisory-source-catalog + advisory-vex-route-helpers extended to route
  users to the new VEX provider surface
- integration-hub.routes.ts registers the new route
- security-disposition-page.component.ts updated for the flow

Excititor/Concelier docs + contracts:
- docs/modules/excititor/operations/provider-control-plane.md — operator
  guide for the new control plane
- docs/modules/excititor/README.md + docs/modules/concelier/{README,
  connectors}.md — cross-links + refs
- ConfiguredAdvisorySourceService.cs — additional provider plumbing
- StellaOps.Excititor.WebService/TASKS.md synced

Sprint doc (docs/implplan/SPRINT_20260422_004_*.md) reflects the
in-flight progress.

This is external-stream work picked up during the 2026-04-22 session's
closeout — bundling it now so the working tree is clean and main stays
in sync with local feature-branch state.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 19:24:49 +03:00

5.3 KiB
Raw Blame History

Excititor Provider Control Plane

This document describes the operator-facing control plane for Excititor VEX providers.

Operator entry points

  • Web UI: Ops -> Integrations -> Advisory & VEX Sources -> VEX Providers
  • CLI:
    • stella excititor list-providers
    • stella excititor show-provider --provider <id>
    • stella excititor enable-provider --provider <id>
    • stella excititor disable-provider --provider <id>
    • stella excititor run-provider --provider <id> [--since ... --window ... --force]
    • stella excititor update-provider --provider <id> ...

Backend API:

  • GET /excititor/providers
  • GET /excititor/providers/{providerId}
  • PUT /excititor/providers/{providerId}
  • POST /excititor/providers/{providerId}/enable
  • POST /excititor/providers/{providerId}/disable
  • POST /excititor/providers/{providerId}/run

Readiness states

Excititor providers use four runtime readiness states:

  • ready: persisted-enabled and the current host has a runnable connector
  • blocked: persisted-enabled but currently cooling down or otherwise not runnable
  • disabled: persisted-disabled
  • planned: cataloged provider without a runnable connector registered on the current host

enabled remains the operator intent flag. A provider can be enabled=true and still show planned or blocked.

Provider inventory

Provider ID Kind Default enabled Registered in WebService UI control plane CLI control plane Credential / config status Notes
excititor:redhat distro true yes yes yes Public defaults; metadata and trust overrides can be persisted through the provider control plane. Registered by default in StellaOps.Excititor.WebService.
excititor:ubuntu distro true yes yes yes Public defaults; metadata and trust overrides can be persisted through the provider control plane. Registered by default in StellaOps.Excititor.WebService.
excititor:oracle vendor true yes yes yes Public defaults; metadata and trust overrides can be persisted through the provider control plane. Registered by default in StellaOps.Excititor.WebService.
excititor:cisco vendor true yes yes yes Public CSAF metadata works without a persisted secret path. Optional API token support exists in connector host options, not in the new persisted UI or CLI surface. Registered by default in StellaOps.Excititor.WebService.
excititor:suse-rancher hub false yes yes yes Discovery and trust metadata can be persisted. Authenticated discovery credentials remain host-config only today. Anonymous discovery can still be allowed by connector options. Registered by default in StellaOps.Excititor.WebService.
excititor:oci-openvex attestation false yes yes yes Provider metadata and trust overrides can be persisted. Image subscriptions, registry credentials, and cosign credential material remain host-config only today. Registered by default in StellaOps.Excititor.WebService.
excititor:msrc vendor false conditional yes yes Persisted provider metadata exists, but MSRC connector credentials and offline token settings remain host-config only today. Registered only when Excititor:Connectors:Msrc exists in host configuration. Otherwise the provider remains planned.

What the current provider control plane persists

The current update-provider surface persists:

  • display name
  • provider kind
  • base URIs
  • well-known metadata URI
  • ROLIE service URI
  • trust weight
  • PGP fingerprints
  • cosign issuer
  • cosign identity pattern
  • enabled / disabled intent

The current provider control plane does not yet persist connector-secret fields such as:

  • MSRC tenant, client ID, client secret, static access token, or offline token path
  • Rancher Hub token endpoint, client ID, or client secret
  • OCI registry username, password, identity token, refresh token, cosign key pair, or image subscription list
  • Cisco optional VEX API token

Those settings still come from host configuration today. The control plane is truthful about the gap by surfacing planned or blocked readiness instead of pretending the connector is runnable.

Host wiring notes

  • StellaOps.Excititor.WebService always registers:
    • Red Hat CSAF
    • Ubuntu CSAF
    • Oracle CSAF
    • Cisco CSAF
    • SUSE Rancher VEX Hub
    • OCI OpenVEX attestations
  • StellaOps.Excititor.WebService registers Microsoft MSRC CSAF only when the Excititor:Connectors:Msrc configuration section exists.
  • StellaOps.Excititor.Worker seeds these public defaults when no explicit provider schedule list is supplied:
    • excititor:redhat
    • excititor:ubuntu
    • excititor:oracle
    • excititor:cisco

Verification state

Reverified in Sprint 20260422_004:

  • targeted backend tests for provider management endpoints passed against StellaOps.Excititor.WebService.Tests.ProviderManagementEndpointsTests
  • Angular route helper spec passed for the new VEX provider route
  • Angular development build passed with the new provider catalog page
  • CLI provider inspection and control verbs were added for the backend surface

The verification above covers the provider control plane and readiness behavior. It does not claim a fresh live ingest verification run for every upstream VEX provider in this sprint.