Add authority bootstrap flows and Concelier ops runbooks

docs/24_OFFLINE_KIT.md

@@ -10,32 +10,50 @@
 The **Offline Update Kit** packages everything Stella Ops needs to run on a
 completely isolated network:
 
-| Component | Contents |
-|-----------|----------|
-| **Merged vulnerability feeds** | OSV, GHSA plus optional NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU |
-| **Container images** | `stella-ops`, *Zastava* sidecar (x86‑64 & arm64) |
-| **Provenance** | Cosign signature, SPDX 2.3 SBOM, in‑toto SLSA attestation |
-| **Delta patches** | Daily diff bundles keep size \< 350 MB |
-
-*Scanner core:* C# 12 on **.NET {{ dotnet }}**.  
-*Imports are idempotent and atomic — no service downtime.*
+| Component | Contents |
+|-----------|----------|
+| **Merged vulnerability feeds** | OSV, GHSA plus optional NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU |
+| **Container images** | `stella-ops`, *Zastava* sidecar (x86‑64 & arm64) |
+| **Provenance** | Cosign signature, SPDX 2.3 SBOM, in‑toto SLSA attestation |
+| **Attested manifest** | `offline-manifest.json` + detached JWS covering bundle metadata, signed during export. |
+| **Delta patches** | Daily diff bundles keep size \< 350 MB |
+
+**RU BDU note:** ship the official Russian Trusted Root/Sub CA bundle (`certificates/russian_trusted_bundle.pem`) inside the kit so `feedser:httpClients:source.bdu:trustedRootPaths` can resolve it when the service runs in an air‑gapped network. Drop the most recent `vulxml.zip` alongside the kit if operators need a cold-start cache.
+
+*Scanner core:* C# 12 on **.NET {{ dotnet }}**.  
+*Imports are idempotent and atomic — no service downtime.*
 
 ---
 
 ## 1 · Download & verify
 
-```bash
-curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-<DATE>.tgz
-curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-<DATE>.tgz.sig
-
-cosign verify-blob \
-  --key https://stella-ops.org/keys/cosign.pub \
-  --signature stella-ops-offline-kit-<DATE>.tgz.sig \
-  stella-ops-offline-kit-<DATE>.tgz
+```bash
+curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-<DATE>.tgz
+curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-<DATE>.tgz.sig
+curl -LO https://get.stella-ops.org/ouk/offline-manifest-<DATE>.json
+curl -LO https://get.stella-ops.org/ouk/offline-manifest-<DATE>.json.jws
+
+cosign verify-blob \
+  --key https://stella-ops.org/keys/cosign.pub \
+  --signature stella-ops-offline-kit-<DATE>.tgz.sig \
+  stella-ops-offline-kit-<DATE>.tgz
 ````
 
-Verification prints **OK** and the SHA‑256 digest; cross‑check against the
-[changelog](https://git.stella-ops.org/stella-ops/offline-kit/-/releases).
+Verification prints **OK** and the SHA‑256 digest; cross‑check against the
+[changelog](https://git.stella-ops.org/stella-ops/offline-kit/-/releases).
+
+Validate the attested manifest before distribution:
+
+```bash
+cosign verify-blob \
+  --key https://stella-ops.org/keys/cosign.pub \
+  --signature offline-manifest-<DATE>.json.jws \
+  offline-manifest-<DATE>.json
+
+jq '.artifacts[] | {name, sha256, size, capturedAt}' offline-manifest-<DATE>.json
+```
+
+The manifest enumerates every artefact (`name`, `sha256`, `size`, `capturedAt`) and is signed with the same key registry as Authority revocation bundles. Operators can ship the manifest alongside the tarball so downstream mirrors can re-verify without unpacking the kit.
 
 ---