Signal connectors

Connectors turn external events into signals automatically, so feedback reaches the loop from the channels where it already lives. Five kinds ship:

Connector What arrives Notes
GitHub Issues New issues and their comments Rides the GitHub App — no separate webhook to configure
Slack Messages from channels you bind Captures acknowledge in-thread with the new SIG-n
Sentry Alerts, with occurrence counts Repeat occurrences coalesce into one signal’s count instead of flooding the queue
Inbound email Mail to a per-connector capture address Sender verification decides whether the reporter is treated as verified
Webhook Anything that can POST JSON HMAC-signed; the generic door for your own systems

Connectors are managed in organization settings → Signal connectors (admin-gated), with full CLI parity under stella connector ….

How ingestion behaves

Every arrival passes one pipeline with predictable behavior:

  • Verified first. Signatures are checked before anything is parsed; a failed signature is rejected with zero side effects.
  • Idempotent. Redelivery of the same external event never creates a duplicate signal; follow-ups on a known item (new comments, new occurrences) append to its history and wake it if snoozed.
  • Routed by rules. Project-mapping rules assign incoming signals to projects (a repository linked to exactly one project maps automatically); anything unmatched lands in the organization’s unassigned bucket for triage.
  • Filtered visibly. Noise filters (for example, bot authors) count what they exclude — filtered is a number you can see, not a silent void.
  • Rate-limited safely. Per-connector admission protects the queue; over-limit deliveries from occurrence-bearing sources coalesce rather than disappear.

Health and self-disable

Each connector tracks its own health. Repeated verification failures degrade it and eventually disable it — loudly, with a notification to organization admins — while high volume alone never does. Re-enabling is one explicit action. Disabled connectors reject deliveries with a structured reason, so the sending side can tell what happened.

Identity and privacy

External reporters are mapped to real identities only through explicit, admin-attested links — never guessed from display names. Unverified reporters are rendered as unverified and are never sent outbound notices. Reporter identity fields can be redacted in place for data-subject requests without destroying the signal’s history.

Outbound replies

Connectors can optionally post resolution notices back to their source — a comment on the GitHub issue, a Slack reply, an email — when the work that resolves a signal ships. Outbound is opt-in per connector and per project, the default message is privacy-safe, and each signal is answered at most once, ever.