838257245a
Closes the last open task in SPRINT_20260422_003. Persisted operator
enablement is now separated from runtime readiness so credential-gated
sources can show an explicit blocked state instead of collapsing into a
generic failed/disabled shape.
Readiness model:
- new SourceReadiness constants class: Disabled | Unsupported | Blocked | Ready
- ConfiguredAdvisorySourceStatus gains Readiness + BlockedReason alongside
existing SyncState (kept as backward-compatible alias)
- enabled = persisted operator intent (untouched)
- readiness = blocked when persisted-enabled and credentials/URIs missing
- blockedReason = free-form list of missing fields
- blockingReason.errorCode = SOURCE_CONFIG_REQUIRED for structured drill-down
Endpoint propagation:
- /status: persisted enabled=true kept; readiness=blocked; readyForSync=false
- /{id}/enable: 200 with readiness=blocked; sourceRegistry left disabled
until credentials land (pre-existing behaviour retained)
- /{id}/sync: 422 readiness=blocked + SOURCE_CONFIG_REQUIRED;
**connector never invoked**, no job run created
- /sync (batch): per-result outcome=blocked with readiness/errorCode/
blockedReason; excluded from totalTriggered; other sources proceed
- Transition: PUT /{id}/configuration with missing credential →
runtimeOptionsInvalidator.Invalidate → next /status flips to ready.
No disable/re-enable cycle needed.
Tests: 8 targeted xUnit methods via scripts/test-targeted-xunit.ps1,
8/8 pass. Includes: blocked status exposure, blocked-to-ready transition
on persisted credential, connector-not-invoked-when-blocked, plus 4
pre-existing SRC-CREDS-002 regression tests.
Docs:
- docs/modules/concelier/connectors.md — new "Blocked / sleeping
readiness state" section with field contract, per-endpoint behaviour
table, UI/CLI rendering guidance, resolution flow
- docs/modules/cli/guides/commands/db.md — short note under
`db connectors configure` cross-linking the connectors.md contract
Sprint SPRINT_20260422_003 archived — all 5 tasks DONE.
New fields are additive; existing UI types in
source-management.api.ts ignore unknown fields so no UI breakage. A
future FE pass can wire explicit readiness/blockedReason rendering.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
StellaOps Concelier
Concelier ingests signed advisories from 32 advisory connectors and converts them into immutable observations plus linksets under the Aggregation-Only Contract (AOC).
Advisory Sources (32 connectors):
- National CERTs (8): ACSC (Australia), CCCS (Canada), CERT-Bund (Germany), CERT-CC (US), CERT-FR (France), CERT-IN (India), JVN (Japan), KISA (Korea)
- OS Distros (5): Alpine SecDB, Debian Security Tracker, RedHat OVAL, SUSE OVAL, Ubuntu USN
- Vendors (7): Apple, Adobe, Chromium, Cisco PSIRT, Microsoft MSRC, Oracle, VMware
- Standards (5): CVE, NVD, GHSA (GitHub), OSV, EPSS v4
- Threat Intel (3): KEV (CISA Exploited Vulns), CISA ICS, Kaspersky ICS
- Regional (3): Russia BDU, Russia NKCKI, Plus regional mirrors
- Internal (1): StellaOps internal mirror
Responsibilities
- Fetch and normalise vulnerability advisories via restart-time connectors.
- Persist observations and correlation linksets without precedence decisions.
- Emit deterministic exports (JSON, Trivy DB) for downstream policy evaluation.
- Coordinate offline/air-gap updates via Offline Kit bundles.
- Serve paragraph-anchored advisory chunks for Advisory AI consumers without breaking the Aggregation-Only Contract.
- Do not emit promotion PASS/FAIL decisions; promotion gate decisions are owned by Policy Engine.
Key components
StellaOps.Concelier.WebServiceorchestration host.- Connector libraries under
StellaOps.Concelier.Connector.*. - Exporter packages (
StellaOps.Concelier.Exporter.*).
Recent updates
- 2025-11-07: Paragraph-anchored
/advisories/{advisoryKey}/chunksendpoint shipped for Advisory AI paragraph retrieval. Details and rollout notes live in../../implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md.
Integrations & dependencies
- PostgreSQL (schema
vuln) for canonical observations and schedules. - Policy Engine / Export Center / CLI for evidence consumption.
- Notify and UI for advisory deltas.
Operational notes
- Connector runbooks in ./operations/connectors/.
- Mirror operations for Offline Kit parity.
- Grafana dashboards for connector health.
- Authority toggle rollout (2025-10-22 update). Follow the phased table and audit checklist in
../../CONCELIER_CLI_QUICKSTART.mdwhen enablingauthority.enabled/authority.allowAnonymousFallback, and cross-check the refreshed./operations/authority-audit-runbook.mdbefore enforcement.
Related resources
- ./operations/conflict-resolution.md
- ./operations/mirror.md
- ./operations/authority-audit-runbook.md
- ../../CONCELIER_CLI_QUICKSTART.md (authority integration timeline & smoke tests)
Backlog references
- DOCS-LNM-22-001, DOCS-LNM-22-007 in ../../TASKS.md.
- Connector-specific TODOs in
src/Concelier/**/TASKS.md.
Epic alignment
- Epic 1 – AOC enforcement: uphold raw observation invariants, provenance requirements, linkset-only enrichment, and AOC verifier guardrails across every connector.
- Epic 10 – Export Center: expose deterministic advisory exports and metadata required by JSON/Trivy/mirror bundles.
Implementation Status
Delivery Phases:
- Phase 1 (Guardrails & schema) – PostgreSQL validators, AOCWriteGuard interceptor, deterministic linkset builders operational
- Phase 2 (API & observability) – Ingestion/verification endpoints with Authority scopes, telemetry, Offline Kit packaging
- Phase 3 (Experience polish) – CLI/Console affordances, Export Center hand-off metadata, CI enforcement
Acceptance Criteria:
- PostgreSQL validators and runtime guards reject forbidden fields and missing provenance with ERR_AOC_00x codes
- Linksets and supersedes chains deterministic; identical payloads yield byte-identical documents
- CLI
stella aoc verifyexits non-zero on violations, zero on clean datasets - Export Center consumes advisory datasets without legacy normalized fields
- CI fails on lint violations or guard test regressions
Key Risks & Mitigations:
- Collector drift: guard middleware + CI lint + schema validation; RFC required for linkset changes
- Migration complexity: staged cutover with backup copies, temporary views for Policy Engine parity
- Performance overhead: guard remains O(number of keys), index review for insert latency targets
- Tenancy leakage: tenant required in schema, Authority claims enforced, observability alerts
Recent Milestones:
- Sprint 110 attestation chain validated, evidence bundle tests green
- Link-Not-Merge cache and console consumption docs frozen
- Observation events transport reviewed, NATS/air-gap guidance updated
- Testing-only legacy
AddInMemoryStorage()compatibility moved into explicit web-service test harnesses, and runtime observation-event defaults no longer imply an undocumented"inmemory"transport