stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
f57b18b6e530a79f0c11a359b31787a9564f3e64
git.stella-ops.org/docs/features/checked/excititor/vex-source-registration-and-verification-pipeline.md
master 7943cfb3af chore(docs+devops): cross-module doc sync + sprint archival moves + compose updates 
Bundled pre-session doc + ops work:
- docs/modules/**: sync across advisory-ai, airgap, cli, excititor,
  export-center, findings-ledger, notifier, notify, platform, router,
  sbom-service, ui, web (architectural + operational updates)
- docs/features/**: updates to checked excititor vex pipeline,
  developer workspace, quick verify drawer
- docs top-level: README, quickstart, API_CLI_REFERENCE, UI_GUIDE,
  code-of-conduct/TESTING_PRACTICES updates
- docs/qa/feature-checks/: FLOW.md + excititor state update
- docs/implplan/: remaining sprint updates + new Concelier source
  credentials sprint (SPRINT_20260422_003)
- docs-archived/implplan/: 30 sprint archival moves (ElkSharp series,
  misc completed sprints)
- devops/compose: .env + services compose + env example + router gateway
  config updates

File-level granularity preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 16:06:39 +03:00

5.7 KiB
Raw Blame History

VEX Source Registration and Verification Pipeline

Module

Excititor

Status

VERIFIED

Description

VEX source onboarding pipeline with scheduled provider runners, orchestration, signature verification, and issuer directory integration for multi-vendor VEX ingestion.

Implementation Details

  • Modules: src/Concelier/StellaOps.Excititor.Worker/, src/Concelier/StellaOps.Excititor.WebService/, src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Abstractions/, src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/
  • Key Classes:
    • VexWorkerHostedService (src/Concelier/StellaOps.Excititor.Worker/Scheduling/VexWorkerHostedService.cs) - background service scheduling provider runs
    • DefaultVexProviderRunner (src/Concelier/StellaOps.Excititor.Worker/Scheduling/DefaultVexProviderRunner.cs) - runs VEX provider connectors on schedule
    • OrchestratorVexProviderRunner (src/Concelier/StellaOps.Excititor.Worker/Orchestration/OrchestratorVexProviderRunner.cs) - orchestrator-managed provider runner
    • VexWorkerOrchestratorClient (src/Concelier/StellaOps.Excititor.Worker/Orchestration/VexWorkerOrchestratorClient.cs) - communicates with orchestrator for work assignment
    • VexWorkerHeartbeatService (src/Concelier/StellaOps.Excititor.Worker/Orchestration/VexWorkerHeartbeatService.cs) - sends heartbeats to orchestrator
    • VexWorkerPluginCatalogLoader (src/Concelier/StellaOps.Excititor.Worker/Plugins/VexWorkerPluginCatalogLoader.cs) - loads available VEX connector plugins
    • VexConnectorBase (src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorBase.cs) - base class for VEX source connectors
    • VexConnectorDescriptor (src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorDescriptor.cs) - descriptor metadata for connectors
    • CiscoCsafConnector (src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/CiscoCsafConnector.cs) - public Cisco CSAF connector exercised in the live fallback and cursor-preservation regression checks
    • WorkerSignatureVerifier (src/Concelier/StellaOps.Excititor.Worker/Signature/WorkerSignatureVerifier.cs) - verifies signatures during ingestion
    • VexWorkerSchedule (src/Concelier/StellaOps.Excititor.Worker/Scheduling/VexWorkerSchedule.cs) - schedule configuration for provider runs
    • MirrorRegistrationEndpoints (src/Concelier/StellaOps.Excititor.WebService/Endpoints/MirrorRegistrationEndpoints.cs) - REST endpoints for mirror/source registration
  • Interfaces: IVexProviderRunner, IVexConsensusRefreshScheduler, IVexWorkerOrchestratorClient
  • Source: Feature matrix scan

E2E Test Plan

  • Register a new VEX source via MirrorRegistrationEndpoints and verify it appears in the plugin catalog
  • Verify VexWorkerHostedService schedules provider runs based on VexWorkerSchedule configuration
  • Verify DefaultVexProviderRunner executes the connector and ingests VEX documents
  • Verify WorkerSignatureVerifier validates signatures on ingested documents during the pipeline
  • Verify VexWorkerHeartbeatService sends heartbeats to the orchestrator during long-running ingestion
  • Verify VexWorkerPluginCatalogLoader discovers and loads all available vendor connectors (Ubuntu, Red Hat, Oracle, Microsoft, Cisco, SUSE)

Verification

  • Re-verified on 2026-04-22 via run-002.
  • Tier 0: Current src/Concelier/... source files confirmed present on disk; stale legacy src/Excititor/... references from the previous checked record were normalized during this QA cycle.
  • Tier 1: dotnet build passed for src/Concelier/StellaOps.Excititor.Worker/StellaOps.Excititor.Worker.csproj with 0 warnings and 0 errors. Targeted xUnit helper runs also passed for CiscoCsafConnectorTests (8/8) and VexWorkerOrchestratorClientTests (10/10).
  • Tier 2d: Disposable Cisco-only worker run eddb0e0b-26b1-4b9c-b08d-679413905795 completed after index.json returned 404 and the connector fell back cleanly to changes.csv 200; the run persisted no duplicate raw documents and preserved vex.connector_states.last_updated = 2026-04-22 07:25:53.884862+00.
  • Artifacts: docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-002/tier0-source-check.json, docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-002/tier1-build-check.json, docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-002/tier2-integration-check.json
  • Further re-verified on 2026-04-22 via run-003 for the Oracle CSAF provider path.
  • Tier 0: Oracle CSAF source files and their targeted test classes were confirmed present under src/Concelier/....
  • Tier 1: Targeted xUnit helper runs passed for OracleCatalogLoaderTests (3/3) and OracleCsafConnectorTests (4/4), covering cache/offline catalog loading, checksum mismatch handling, missing historical documents, and empty-digest checkpoint behavior.
  • Tier 2d: Disposable Oracle-only worker run 5fa3edb0-a3af-4ec1-b9bb-dce9baa32d09 completed successfully against the live Oracle RSS catalog. The connector skipped multiple historical 404 CSAF URIs without failing the provider, persisted no duplicate raw documents, and preserved vex.connector_states.last_updated = 2026-04-22 06:46:15.261191+00.
  • Artifacts: docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-003/tier0-source-check.json, docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-003/tier1-build-check.json, docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-003/tier2-integration-check.json