save progress

docs/24_OFFLINE_KIT.md

@@ -19,6 +19,7 @@ completely isolated network:
 | **Delta patches** | Daily diff bundles keep size \< 350 MB |
 | **Scanner plug-ins** | OS analyzers plus the Node.js, Go, .NET, Python, Ruby, Rust, and PHP language analyzers packaged under `plugins/scanner/analyzers/**` with manifests so Workers load deterministically offline. |
 | **Debug store** | `.debug` artefacts laid out under `debug/.build-id/<aa>/<rest>.debug` with `debug/debug-manifest.json` mapping build-ids to originating images for symbol retrieval. |
+| **Secret Detection Rules** | DSSE-signed rule bundles under `rules/secrets/<version>/` with manifest, JSONL rules, and signature envelope for air-gapped secret leak detection. |
 | **Telemetry collector bundle** | `telemetry/telemetry-offline-bundle.tar.gz` plus `.sha256`, containing OTLP collector config, Helm/Compose overlays, and operator instructions. |
 | **CLI + Task Packs** | `cli/` binaries from `release/cli`, Task Runner bootstrap (`bootstrap/task-runner/task-runner.yaml.sample`), and task-pack docs under `docs/task-packs/**` + `docs/modules/taskrunner/**`. |
 | **Orchestrator/Export/Notifier kits** | Orchestrator service, worker SDK, Postgres snapshot, dashboards (`orchestrator/**`), Export Center bundles (`export-center/**`), Notifier offline packs (`notifier/**`). |
@@ -41,6 +42,68 @@ completely isolated network:
 
 The PHP analyzer parses `composer.lock` for Composer dependencies and supports optional runtime evidence via the `stella-trace.php` shim; set `STELLA_PHP_OPCACHE=1` to enable opcache statistics collection.
 
+**Secret Detection Rules:**
+
+The Offline Kit includes DSSE-signed rule bundles for secret leak detection, enabling fully offline scanning for exposed credentials, API keys, and other sensitive data.
+
+**Bundle Structure:**
+```
+rules/secrets/<version>/
+  secrets.ruleset.manifest.json    # Bundle metadata (version, rule count, signer)
+  secrets.ruleset.rules.jsonl      # Rule definitions (one JSON per line)
+  secrets.ruleset.dsse.json        # DSSE signature envelope
+  SHA256SUMS                       # File checksums
+```
+
+**Manifest Format:**
+```json
+{
+  "bundleId": "secrets.ruleset",
+  "bundleType": "secrets",
+  "version": "2026.01",
+  "ruleCount": 150,
+  "signerKeyId": "stellaops-secrets-signer",
+  "signedAt": "2026-01-04T00:00:00Z",
+  "files": [
+    {
+      "name": "secrets.ruleset.rules.jsonl",
+      "digest": "sha256:...",
+      "sizeBytes": 45678
+    }
+  ]
+}
+```
+
+**Installation:**
+```bash
+# Verify bundle signature using local attestor mirror
+export STELLA_ATTESTOR_URL="file:///mnt/offline-kit/attestor-mirror"
+devops/offline/scripts/install-secrets-bundle.sh \
+  /mnt/offline-kit/rules/secrets/2026.01 \
+  /opt/stellaops/plugins/scanner/analyzers/secrets
+```
+
+**Bundle Rotation:**
+```bash
+# Upgrade to new version with automatic backup
+devops/offline/scripts/rotate-secrets-bundle.sh \
+  /mnt/offline-kit/rules/secrets/2026.02
+```
+
+**Enable Feature:**
+```yaml
+scanner:
+  features:
+    experimental:
+      secret-leak-detection: true
+```
+
+**Verify Bundle is Loaded:**
+```bash
+kubectl logs -l app=scanner-worker --tail=100 | grep SecretsAnalyzerHost
+# Expected: SecretsAnalyzerHost: Loaded bundle 2026.01 with 150 rules
+```
+
 **Python analyzer features:**
 - **Wheel/sdist/editable** parsing with dependency edges from `METADATA`, `PKG-INFO`, `requirements.txt`, and `pyproject.toml`
 - **Virtual environment** support for virtualenv, venv, and conda prefix layouts