up

docs/airgap/bootstrap.md

@@ -0,0 +1,33 @@
+# Bootstrap Pack (Airgap 56-004)
+
+Guidance to build and install the bootstrap pack that primes sealed environments.
+
+## Contents
+- Core images/charts for platform services (Authority, Excititor, Concelier, Export Center, Scheduler) with digests.
+- Offline NuGet/npm caches (if permitted) with checksum manifest.
+- Configuration defaults: sealed-mode toggles, trust roots, time-anchor bundle, network policy presets.
+- Verification scripts: hash check, DSSE verification (if available), and connectivity probes to local mirrors.
+
+## Build steps
+1. Gather image digests and charts from trusted registry/mirror.
+2. Create `bootstrap-manifest.json` with:
+   - `bundleId`, `createdAt` (UTC), `producer`, `mirrorGeneration`
+   - `files[]` (path, sha256, size, mediaType)
+   - optional `dsseEnvelopeHash`
+3. Package into tarball with deterministic ordering (POSIX tar, sorted paths, numeric owner 0:0).
+4. Compute sha256 for tarball; record in manifest.
+
+## Install steps
+1. Transfer pack to sealed site (removable media).
+2. Verify tarball hash and DSSE (if present) using offline trust roots.
+3. Load images/charts into local registry; preload caches to `local-nugets/` etc.
+4. Apply network policies (deny-all) and sealed-mode config.
+5. Register bootstrap manifest and mirrorGeneration with Excititor/Export Center.
+
+## Determinism & rollback
+- Keep manifests in ISO-8601 UTC; no host-specific metadata in tar headers.
+- For rollback, retain previous bootstrap tarball + manifest; restore registry contents and config snapshots.
+
+## Related
+- `docs/airgap/mirror-bundles.md` — mirror pack format and validation.
+- `docs/airgap/sealing-and-egress.md` — egress enforcement used during install.