stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

work

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-23 23:40:10 +02:00
parent c13355923f
commit 029002ad05
93 changed files with 2160 additions and 285 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
docs/modules/concelier/mirror-export.md Normal file
View File

@@ -0,0 +1,56 @@
# Concelier mirror/offline export path (dev baseline)
Goal: serve advisory chunks and provenance via the existing `/concelier/exports/mirror/*` endpoints without blocking on release signing/DevOps pipelines.
## Minimal layout (dev)
Point `CONCELIER_MIRROR__EXPORTROOT` at a directory that contains:
```
<exportId>/
mirror/
index.json
<domain>/manifest.json
<domain>/bundle.json
<domain>/bundle.json.jws (optional; unsigned in dev)
```
Example generator (dev):
```
EXPORTROOT=out/concelier/exports
EXPORTID=$(date -u +%Y%m%dT%H%M%SZ)
DOMAIN=primary
mkdir -p "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN"
cat > "$EXPORTROOT/$EXPORTID/mirror/index.json" <<'JSON'
{"schemaVersion":1,"domains":[{"id":"primary","displayName":"Primary"}]}
JSON
cat > "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN/manifest.json" <<'JSON'
{"domainId":"primary","created":"2025-11-23T00:00:00Z","schemaVersion":1,"advisories":0}
JSON
# Placeholder bundle built from canonical chunks; replace with real export job output
echo '{"advisories":[]}' > "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN/bundle.json"
echo 'unsigned-dev-bundle' > "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN/bundle.json.jws"
ln -sfn "$EXPORTID" "$EXPORTROOT/latest"
```
Configure Concelier to serve it:
```
CONCELIER_MIRROR__ENABLED=true
CONCELIER_MIRROR__EXPORTROOT=out/concelier/exports
CONCELIER_MIRROR__ACTIVEEXPORTID=<exportId> # optional; falls back to latest
CONCELIER_MIRROR__DOMAINS__0__ID=primary
CONCELIER_MIRROR__DOMAINS__0__DISPLAYNAME=Primary
CONCELIER_MIRROR__DOMAINS__0__REQUIREAUTHENTICATION=false
```
With this in place, the existing endpoints return:
- `/concelier/exports/index.json`
- `/concelier/exports/mirror/primary/manifest.json`
- `/concelier/exports/mirror/primary/bundle.json` (and `.jws`)
## Why this unblocks development
- Uses the canonical chunk schema already emitted by CONCELIER-LNM-21-001.
- Requires no release signing; works with unsigned dev bundles.
- Keeps path and filenames identical to planned release layout, so DevOps can later layer signing/TUF in a separate sprint.
## Next (DevOps) step
- `DEVOPS-MIRROR-23-001-REL` will replace the placeholder bundle generator with the signed/exported artefact pipeline and enforce DSSE/TUF.