Revised to reflect verified end-to-end state on the local dev stack:
Concelier (9 wired backend connectors, 8 healthy, 787 advisories ingested):
- redhat (651 docs), osv (59), debian (41), suse (26), alpine (8),
ubuntu (2), auscert (0), vmware (0), stella-mirror (404 on dev — OK)
- all respond to `sources check` probes
Excititor (4 wired providers):
- excititor:{redhat, ubuntu, cisco, oracle} all enabled
- Cisco VEX uses the public CSAF feed (unauthenticated) — different
from the Concelier advisory side of Cisco which would need PSIRT OAuth
Aspirational catalog (~65 entries): present in `stellaops-cli sources list`
but NOT backend-wired. `sources enable <id>` returns OK but is a no-op
because no source_type → connector mapping exists. Tracked in
SPRINT_20260422_004 / _007.
Credential steps (GHSA, Cisco PSIRT, Microsoft MSRC) retained but flagged
as ready-for-when-the-connector-backend-lands. Currently all three
connectors they'd apply to are in the aspirational catalog only.
Operator commands documented + known CLI asymmetry (Concelier.Advisories.Read
policy needs aoc:verify scope which stellaops-cli client can't mint;
affects read endpoints only, write path works).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dd98d6c3f6