7efa424fe2
Closes 3 of 4 tasks in SPRINT_20260422_007. EXCITITOR-CFG-04 (OCI
binary-material handling) stays BLOCKED pending a secret-reference
storage-model design decision — sprint header called that out as a
scope boundary.
Mirrors the SRC-CREDS pattern (commits 838257245 + earlier) to give
Excititor VEX providers the same persisted-credentials + blocked-
readiness contract that advisory sources now have.
Persistence (EXCITITOR-CFG-01):
- New vex.provider_settings table via embedded migration
007_vex_provider_settings.sql (auto-applied by AddStartupMigrations).
Key: provider_id; columns: settings jsonb, updated_by, timestamps.
- PostgresVexProviderSettingsStore (Dapper) + ProviderSettingsRow EfCore
model + InMemoryVexProviderSettingsStore for tests.
- IVexProviderSettingsStore + VexProviderSettingsRecord added to
StellaOps.Excititor.Core/Storage.
- Existing vex.providers row (trust, discovery, base_uris, enabled)
untouched — additive only.
API surface:
- GET /excititor/providers/{id}/configuration → masked snapshot with
fields: key, label, inputType, sensitive, required, value, hasValue,
isSecretRetained, helpText, placeholder. Plaintext secrets never
returned.
- PUT /excititor/providers/{id}/configuration with { values, clearKeys }.
Sensitive fields submitted blank are retained; clearKeys explicitly
deletes.
- Field schemas shipped for excititor:cisco / msrc / suse-rancher.
Effective settings + readiness (EXCITITOR-CFG-02):
- VexProviderConfigurationService.ComputeConfigurationFailure drives
readiness. When persisted-enabled but missing required fields, the
provider status reports blockingReasonCode=PROVIDER_CONFIG_REQUIRED
(or PROVIDER_CONFIG_INVALID on validation failure), readiness=blocked.
Configuration failures take priority over retry-backoff reasons so the
actionable message surfaces first.
- VexIngestOrchestrator.ValidateConnectorAsync + ExecuteRunAsync resolve
effective settings from VexProviderRuntimeSettingsCache; same
settings flow into DefaultVexProviderRunner (worker scheduled runs).
Previously those paths validated against empty / schedule-only options.
CLI + Web (EXCITITOR-CFG-03):
- CLI: `stella vex providers configure <provider> [--set k=v] [--clear k]
[--format text|json]`. Aliases cisco/msrc/rancher → excititor:*.
- Web: VexProviderManagementApi.getConfiguration / updateConfiguration
+VexProviderConfigurationComponent (Angular standalone). Component
renders masked-secret + clear toggles + required indicators + help/
placeholder. Routing intentionally minimal (no new route added) to
avoid stepping on the parallel FE test agent.
Tests: targeted xUnit via scripts/test-targeted-xunit.ps1:
- VexProviderConfigurationServiceTests → Total: 8, Failed: 0
- ProviderManagementEndpointsTests regression → Total: 5, Failed: 0
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
StellaOps Excititor (Archived -- absorbed into Concelier domain, Sprint 203)
Note: Excititor source code has been moved to
src/Concelier/StellaOps.Excititor.*as part of the advisory domain consolidation (Sprint 203, 2026-03-04). This documentation is kept as a redirect. Full archive atdocs-archived/modules/excititor/. The ADR is recorded indocs/modules/concelier/architecture.md.
Excititor converts heterogeneous VEX feeds into raw observations and linksets that honour the Aggregation-Only Contract.
Latest updates (2025-12-05)
- Chunk API documentation remains blocked until CI is green and a pinned OpenAPI spec + deterministic samples are available.
- Sprint tracker
docs/implplan/SPRINT_0333_0001_0001_docs_modules_excititor.mdand moduleTASKS.mdmirror status. - Observability/runbook assets remain in
operations/observability.mdandobservability/(timeline, locker manifests); dashboards stay offline-import friendly. - Prior updates (2025-11-05): Link-Not-Merge readiness and consensus beta note (
../../implplan/archived/updates/2025-11-05-excitor-consensus-beta.md), observability guide additions, DSSE packaging guidance, and Policy/CLI follow-ups tracked in SPRINT_200. - Link-Not-Merge readiness: release note Excitor consensus beta captures how Excititor feeds power the Excititor consensus beta (sample payload in consensus JSON).
- Added observability guide describing the evidence metrics emitted by
EXCITITOR-AIAI-31-003(request counters, statement histogram, signature status, guard violations) so Ops/Lens can alert on misuse. - README now points policy/UI teams to the upcoming consensus integration work.
- DSSE packaging for consensus bundles and Export Center hooks are documented in the beta release note; operators mirroring Excititor exports must verify detached JWS artefacts (
bundle.json.jws) alongside each bundle. - Follow-ups called out in the release note (Policy weighting knobs
POLICY-ENGINE-30-101, CLI verbCLI-VEX-30-002) remain in-flight and are tracked in/docs/implplan/SPRINT_200_documentation_process.md.
Release references
- Consensus beta payload reference: docs/vex/consensus-json.md
- Export Center offline packaging: docs/modules/export-center/devportal-offline.md
- Historical release log: docs/implplan/archived/updates/
Responsibilities
- Fetch OpenVEX/CSAF/CycloneDX statements via restart-only connectors.
- Store immutable VEX observations with full provenance.
- Publish linksets and events that drive policy suppression decisions.
- Provide deterministic exports for Offline Kit and downstream tooling.
Key components
StellaOps.Excititor.WebServicescheduler/API host.- Connector libraries under
StellaOps.Excititor.Connector.*. - Normalization helpers and exporters in
StellaOps.Excititor.*.
Integrations & dependencies
- Policy Engine for evidence queries.
- UI/CLI for conflict visibility and explanation.
- Notify for VEX-driven alerts.
Operational notes
- PostgreSQL (schema
vex) for observation storage and job metadata. - Offline kit packaging aligned with Concelier merges.
- Connector-specific runbooks (see
docs/modules/concelier/operations/connectors). - Provider control plane inventory and readiness notes:
operations/provider-control-plane.md - Ubuntu CSAF provenance knobs:
operations/ubuntu-csaf.mdcaptures TrustWeight/Tier, cosign, and fingerprint configuration for the sprint 120 enrichment.
Backlog references
- DOCS-LNM-22-006 / DOCS-LNM-22-007 (shared with Concelier).
- CLI-EXC-25-001..002 follow-up for CLI parity.
Epic alignment
- Epic 1 – AOC enforcement: maintain immutable VEX observations, provenance, and AOC verifier coverage.
- Epic 7 – VEX Consensus Lens: supply trustworthy raw inputs, trust metadata, and consensus hooks for the lens computations.
- Epic 8 – Advisory AI: expose citation-ready VEX payloads for the advisory assistant pipeline.
Implementation Status
Objectives
- Maintain deterministic behaviour and offline parity across releases
- Keep documentation, telemetry, and runbooks aligned with the latest sprint outcomes
Key Milestones
- Epic 1 – AOC enforcement: enforce immutable VEX observation schema, provenance capture, and guardrails
- Epic 7 – VEX Consensus Lens: provide lens-ready metadata (issuer trust, temporal scoping) and consensus APIs
- Epic 8 – Advisory AI: guarantee citation-ready payloads and normalized context for AI summaries/explainers
Recent Delivery Status
- Chunk API documentation remains blocked until CI is green and a pinned OpenAPI spec with deterministic samples are available
- Link-Not-Merge readiness and consensus beta completed with DSSE packaging guidance
- Observability guide additions and policy/CLI follow-ups tracked in sprint files
Workstreams
- Backlog grooming: reconcile open stories with module roadmap
- Implementation: collaborate with service owners to land feature work
- Validation: extend tests/fixtures to preserve determinism and provenance requirements
Coordination
- Review ./AGENTS.md before picking up new work
- Sync with cross-cutting teams noted in sprint files
- Update plan whenever scope, dependencies, or guardrails change