838257245a
Closes the last open task in SPRINT_20260422_003. Persisted operator
enablement is now separated from runtime readiness so credential-gated
sources can show an explicit blocked state instead of collapsing into a
generic failed/disabled shape.
Readiness model:
- new SourceReadiness constants class: Disabled | Unsupported | Blocked | Ready
- ConfiguredAdvisorySourceStatus gains Readiness + BlockedReason alongside
existing SyncState (kept as backward-compatible alias)
- enabled = persisted operator intent (untouched)
- readiness = blocked when persisted-enabled and credentials/URIs missing
- blockedReason = free-form list of missing fields
- blockingReason.errorCode = SOURCE_CONFIG_REQUIRED for structured drill-down
Endpoint propagation:
- /status: persisted enabled=true kept; readiness=blocked; readyForSync=false
- /{id}/enable: 200 with readiness=blocked; sourceRegistry left disabled
until credentials land (pre-existing behaviour retained)
- /{id}/sync: 422 readiness=blocked + SOURCE_CONFIG_REQUIRED;
**connector never invoked**, no job run created
- /sync (batch): per-result outcome=blocked with readiness/errorCode/
blockedReason; excluded from totalTriggered; other sources proceed
- Transition: PUT /{id}/configuration with missing credential →
runtimeOptionsInvalidator.Invalidate → next /status flips to ready.
No disable/re-enable cycle needed.
Tests: 8 targeted xUnit methods via scripts/test-targeted-xunit.ps1,
8/8 pass. Includes: blocked status exposure, blocked-to-ready transition
on persisted credential, connector-not-invoked-when-blocked, plus 4
pre-existing SRC-CREDS-002 regression tests.
Docs:
- docs/modules/concelier/connectors.md — new "Blocked / sleeping
readiness state" section with field contract, per-endpoint behaviour
table, UI/CLI rendering guidance, resolution flow
- docs/modules/cli/guides/commands/db.md — short note under
`db connectors configure` cross-linking the connectors.md contract
Sprint SPRINT_20260422_003 archived — all 5 tasks DONE.
New fields are additive; existing UI types in
source-management.api.ts ignore unknown fields so no UI breakage. A
future FE pass can wire explicit readiness/blockedReason rendering.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4.0 KiB
4.0 KiB
stella db - Command Guide
The stella db command group triggers Concelier database operations via backend jobs and advisory-source management APIs.
These commands are operational: they typically require Authority authentication and appropriate Concelier scopes.
Commands
db connectors configure
Inspect or update persisted advisory source configuration.
stella db connectors configure ghsa --server https://concelier.example.internal
stella db connectors configure ghsa \
--server https://concelier.example.internal \
--set apiToken=github_pat_xxx
stella db connectors configure cisco \
--server https://concelier.example.internal \
--set clientId=... \
--set clientSecret=...
stella db connectors configure microsoft \
--server https://concelier.example.internal \
--set tenantId=... \
--set clientId=... \
--set clientSecret=...
stella db connectors configure oracle \
--server https://concelier.example.internal \
--set calendarUris=https://www.oracle.com/security-alerts/,https://mirror.example.internal/oracle/
stella db connectors configure adobe \
--server https://concelier.example.internal \
--set indexUri=https://mirror.example.internal/adobe/security-bulletin.html
stella db connectors configure chromium \
--server https://concelier.example.internal \
--set feedUri=https://mirror.example.internal/chromium/atom.xml
Options:
--set key=value: set a field value. Repeat for multiple fields.--clear <field>: clear a stored field. Repeat for multiple fields.--server: Concelier API base URL.--tenant,-t: tenant override.--format,-f:textorjson.
Notes:
- Sensitive fields are returned as retained or not-set markers, not plaintext values.
- Multi-value URI fields accept comma-, semicolon-, or newline-separated absolute URIs.
- The current CLI path sends literal values on the command line. Use the Web UI path if command-history exposure is unacceptable for a secret.
Blocked state for credential-gated sources:
- Persisted enablement (
enabled=true) is kept separate from runtime readiness. When an enabled source is missing required credentials or URIs, itsreadiness(aliassyncState) isblocked,blockedReasondescribes what is missing, and both/syncand the batch/syncpaths skip it with an explicitblockedoutcome instead of invoking the connector and emitting a misleading scheduler failure. - Supplying the missing field through
stella db connectors configure <source> --set <field>=<value>flips the source toreadiness=readyon the next status call without any disable/re-enable step. - See connectors.md -> Blocked / sleeping readiness state for the full endpoint contract.
db fetch
Trigger a connector stage (fetch, parse, or map) for a given source.
stella db fetch --source osv --stage fetch
stella db fetch --source osv --stage parse
stella db fetch --source osv --stage map
Options:
--source(required): connector identifier such asosv,redhat,ghsa, orcisco--stage(optional):fetch,parse, ormap(defaults tofetch)--mode(optional): connector-specific mode such asinit,resume, orcursor
db merge
Run canonical merge reconciliation.
stella db merge
db export
Run Concelier export jobs.
stella db export --format json
stella db export --format trivy-db --delta
Options:
--format(optional):jsonortrivy-db--delta(optional): request a delta export when supported--publish-fullor--publish-delta(optional): override publish behavior--bundle-fullor--bundle-delta(optional): override offline bundle behavior
Common setup
Point the CLI at the Concelier base URL:
export STELLAOPS_BACKEND_URL="https://concelier.example.internal"
Authenticate:
stella auth login
See docs/CONCELIER_CLI_QUICKSTART.md and docs/modules/concelier/operations/authority-audit-runbook.md.