up

ops/devops/ledger/packs-infrastructure.md

@@ -0,0 +1,58 @@
+# Findings Ledger Packs Infrastructure
+
+## Scope
+Infrastructure for snapshot/time-travel export packaging and signing.
+
+## Tasks Covered
+- DEVOPS-LEDGER-PACKS-42-001-REL: Snapshot/time-travel export packaging
+- DEVOPS-LEDGER-PACKS-42-002-REL: Pack signing + integrity verification
+
+## Components
+
+### 1. Pack Builder
+Creates deterministic export packs from Ledger snapshots.
+
+```bash
+# Build pack from snapshot
+./ops/devops/ledger/build-pack.sh --snapshot-id <id> --output out/ledger/packs/
+
+# Dev mode with signing
+COSIGN_ALLOW_DEV_KEY=1 ./ops/devops/ledger/build-pack.sh --sign
+```
+
+### 2. Pack Verifier
+Verifies pack integrity and signatures.
+
+```bash
+# Verify pack
+./ops/devops/ledger/verify-pack.sh out/ledger/packs/snapshot-*.pack.tar.gz
+```
+
+### 3. Time-Travel Export
+Creates point-in-time exports for compliance/audit.
+
+```bash
+# Export at specific timestamp
+./ops/devops/ledger/time-travel-export.sh --timestamp 2025-12-01T00:00:00Z
+```
+
+## Pack Format
+```
+snapshot-<id>.pack.tar.gz
+├── manifest.json          # Pack metadata + checksums
+├── findings/              # Finding records (NDJSON)
+├── metadata/              # Scan metadata
+├── provenance.json        # SLSA provenance
+└── signatures/
+    ├── manifest.dsse.json # DSSE signature
+    └── SHA256SUMS         # Checksums
+```
+
+## CI Workflows
+- `ledger-packs-ci.yml` - Build and verify packs
+- `ledger-packs-release.yml` - Sign and publish packs
+
+## Prerequisites
+- Ledger snapshot schema finalized
+- Storage contract defined
+- Pack format specification