Signal connectors
Connectors turn external events into signals automatically, so feedback reaches the loop from the channels where it already lives. Five kinds ship:
| Connector | What arrives | Notes |
|---|---|---|
| GitHub Issues | New issues and their comments | Rides the GitHub App — no separate webhook to configure |
| Slack | Messages from channels you bind | Captures acknowledge in-thread with the new SIG-n |
| Sentry | Alerts, with occurrence counts | Repeat occurrences coalesce into one signal’s count instead of flooding the queue |
| Inbound email | Mail to a per-connector capture address | Sender verification decides whether the reporter is treated as verified |
| Webhook | Anything that can POST JSON | HMAC-signed; the generic door for your own systems |
Connectors are managed in organization settings → Signal connectors (admin-gated), with full CLI parity under stella connector ….
How ingestion behaves
Every arrival passes one pipeline with predictable behavior:
- Verified first. Signatures are checked before anything is parsed; a failed signature is rejected with zero side effects.
- Idempotent. Redelivery of the same external event never creates a duplicate signal; follow-ups on a known item (new comments, new occurrences) append to its history and wake it if snoozed.
- Routed by rules. Project-mapping rules assign incoming signals to projects (a repository linked to exactly one project maps automatically); anything unmatched lands in the organization’s unassigned bucket for triage.
- Filtered visibly. Noise filters (for example, bot authors) count what they exclude — filtered is a number you can see, not a silent void.
- Rate-limited safely. Per-connector admission protects the queue; over-limit deliveries from occurrence-bearing sources coalesce rather than disappear.
Health and self-disable
Each connector tracks its own health. Repeated verification failures degrade it and eventually disable it — loudly, with a notification to organization admins — while high volume alone never does. Re-enabling is one explicit action. Disabled connectors reject deliveries with a structured reason, so the sending side can tell what happened.
Identity and privacy
External reporters are mapped to real identities only through explicit, admin-attested links — never guessed from display names. Unverified reporters are rendered as unverified and are never sent outbound notices. Reporter identity fields can be redacted in place for data-subject requests without destroying the signal’s history.
Outbound replies
Connectors can optionally post resolution notices back to their source — a comment on the GitHub issue, a Slack reply, an email — when the work that resolves a signal ships. Outbound is opt-in per connector and per project, the default message is privacy-safe, and each signal is answered at most once, ever.