stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
f57b18b6e530a79f0c11a359b31787a9564f3e64
git.stella-ops.org/docs/modules/concelier/operations/connectors/chromium.md
master 607ce619fe feat(concelier): multi-sprint batch (mirror domain + advisory sources + durable runtime + credentials) 
Bundled commit covering pre-session work from multiple Concelier sprints
already archived or in-flight:
- SPRINT_20260419_006: mirror domain / source key validation
- SPRINT_20260419_029 / 030: durable jobs orchestrator runtime + endpoint verification
- SPRINT_20260421_001: advisory source projection truthful counts
- SPRINT_20260421_002: FE advisory source consistency (connector-side bits)
- SPRINT_20260421_003: advisory connector runtime alignment
- SPRINT_20260422_003: source credential entry paths (in-flight)

Includes connector internals (ACSC / Adobe / CERT-BUND / Chromium / Cisco /
CVE-KEV / GHSA / JVN / KISA / MSRC / Oracle / Ubuntu), source management
endpoints, mirror domain management, federation endpoints, topology setup,
job registration, and associated dossier updates under
docs/modules/concelier/.

This commit groups ~229 file changes that accumulated across the above
sprints; individual changes are preserved at file granularity so blame
remains useful.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 16:05:53 +03:00

1.5 KiB
Raw Blame History

Concelier Chromium Connector - Operations Runbook

Last updated: 2026-04-22

1. Overview

The Chromium connector ingests Chromium security advisories and maps them to canonical IDs. The canonical runtime source ID is chromium.

2. Authentication

  • No authentication required for public advisories.

3. Configuration paths

Primary operator path:

  • Web UI: Security Posture -> Configure Sources or Ops -> Operations -> Feeds & Airgap -> Configure Sources
  • CLI: 
    stella db connectors configure chromium \
  --server https://concelier.example.internal \
  --set feedUri=https://mirror.example.internal/chromium/atom.xml

The Chromium connector does not require credentials. Use the UI/CLI configuration path only when overriding the canonical Chrome Releases Atom feed for a mirror or controlled ingestion path.

Compatibility fallback (concelier.yaml):

concelier:
  sources:
    chromium:
      feedUri: "https://chromereleases.googleblog.com/atom.xml"
      initialBackfill: "30.00:00:00"
      windowOverlap: "2.00:00:00"
      maxFeedPages: 4
      maxEntriesPerPage: 50

4. Offline and air-gapped deployments

  • Mirror the Atom feed and referenced post pages into the Offline Kit.
  • Repoint feedUri to the mirrored allowlisted endpoint.

5. Common failure modes

  • Feed cadence shifts during Chromium release trains
  • Google changes the Atom feed or post markup used for stable-channel parsing
  • Operators mirror post pages but not the Atom feed that seeds discovery