up
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
This commit is contained in:
StellaOps Bot
49
docs/modules/cli/guides/airgap.md
Normal file
49
docs/modules/cli/guides/airgap.md
Normal file
@@ -0,0 +1,49 @@
|
||||
# CLI Airgap Guide (DOCS-AIRGAP-57-003)
|
||||
|
||||
Offline/air-gapped usage patterns for the Stella CLI.
|
||||
|
||||
## Prerequisites
|
||||
- CLI installed from offline bundle; `local-nugets/` and cached plugins available.
|
||||
- Mirror/Bootstrap bundles staged locally; no external network required.
|
||||
- Set `STELLA_OFFLINE=true` to prevent outbound fetches.
|
||||
|
||||
## Common commands
|
||||
- Validate mirror bundle
|
||||
```bash
|
||||
stella airgap verify-bundle /mnt/media/mirror.tar \
|
||||
--manifest /mnt/media/manifest.json \
|
||||
--trust-root /opt/stella/trust/mirror-root.pem
|
||||
```
|
||||
- Import bundle into local registry
|
||||
```bash
|
||||
stella airgap import --bundle /mnt/media/mirror.tar --generation 12
|
||||
```
|
||||
- Check sealed mode status
|
||||
```bash
|
||||
stella airgap status
|
||||
```
|
||||
- List bundles and staleness
|
||||
```bash
|
||||
stella airgap list --format table
|
||||
```
|
||||
|
||||
## Determinism & offline rules
|
||||
- Commands must succeed without egress; any outbound attempt is a bug—report with logs.
|
||||
- Hashes and signatures are verified locally using bundled trust roots; no OCSP/CRL.
|
||||
- Outputs are stable JSON/NDJSON; timestamps use UTC.
|
||||
|
||||
## Exit codes
|
||||
- `0` success
|
||||
- `2` validation failed (hash/signature mismatch)
|
||||
- `3` sealed-mode violation (unexpected egress attempted)
|
||||
- `4` input/argument error
|
||||
- `>4` unexpected error (inspect logs)
|
||||
|
||||
## Logs
|
||||
- Default stderr structured JSON: includes `tenant`, `bundleId`, `mirrorGeneration`, `sealed` flag.
|
||||
- For audits, use `--log-file /var/log/stella/airgap.log --log-format json`.
|
||||
|
||||
## Tips
|
||||
- Keep bundles on read-only media to avoid hash drift.
|
||||
- Use `--dry-run` to validate without writing to registries.
|
||||
- Pair with `docs/airgap/overview.md` and `docs/airgap/sealing-and-egress.md` for policy context.
|
||||
25
docs/modules/cli/guides/attest.md
Normal file
25
docs/modules/cli/guides/attest.md
Normal file
@@ -0,0 +1,25 @@
|
||||
# CLI Attest Guide (DOCS-ATTEST-74-004)
|
||||
|
||||
How to verify and inspect attestations via CLI.
|
||||
|
||||
## Verify DSSE
|
||||
```bash
|
||||
stella attest verify --envelope bundle.dsse.json --policy policy.json \
|
||||
--root keys/root.pem --transparency-checkpoint checkpoints/rekor.json
|
||||
```
|
||||
- Offline verification uses bundled roots and checkpoints; transparency optional.
|
||||
|
||||
## List attestations
|
||||
```bash
|
||||
stella attest list --tenant default --issuer dev-kms --format table
|
||||
```
|
||||
|
||||
## Show attestation
|
||||
```bash
|
||||
stella attest show --id a1b2c3 --output json
|
||||
```
|
||||
|
||||
## Notes
|
||||
- No network access required in sealed mode.
|
||||
- All commands emit deterministic JSON; timestamps in UTC.
|
||||
- Exit codes: 0 success, 2 verification failed, 4 input error.
|
||||
Reference in New Issue
Block a user