blocked 4

ops/devops/airgap/sealed-ci-smoke.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Simple sealed-mode CI smoke: block egress, resolve mock DNS, assert services start.
+ROOT=${ROOT:-$(cd "$(dirname "$0")/../.." && pwd)}
+LOGDIR=${LOGDIR:-$ROOT/out/airgap-smoke}
+mkdir -p "$LOGDIR"
+
+# 1) Start mock DNS (returns 0.0.0.0 for everything)
+DNS_PORT=${DNS_PORT:-53535}
+python - <<PY &
+import socketserver, threading
+from dnslib import DNSRecord, RR, A
+
+class Handler(socketserver.BaseRequestHandler):
+    def handle(self):
+        data, sock = self.request
+        request = DNSRecord.parse(data)
+        reply = request.reply()
+        reply.add_answer(RR(request.q.qname, rdata=A('0.0.0.0')))
+        sock.sendto(reply.pack(), self.client_address)
+
+def run():
+    with socketserver.UDPServer(('0.0.0.0', ${DNS_PORT}), Handler) as server:
+        server.serve_forever()
+
+threading.Thread(target=run, daemon=True).start()
+PY
+
+# 2) Block egress except loopback
+iptables -I OUTPUT -d 127.0.0.1/8 -j ACCEPT
+iptables -I OUTPUT -d 0.0.0.0/8 -j ACCEPT
+iptables -A OUTPUT -j DROP
+
+# 3) Placeholder: capture environment info (replace with service start once wired)
+pushd "$ROOT" >/dev/null
+DOTNET_SYSTEM_NET_HTTP_SOCKETSHTTPHANDLER_HTTP2SUPPORT=false \
+DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+DNS_SERVER=127.0.0.1:${DNS_PORT} \
+dotnet --info > "$LOGDIR/dotnet-info.txt"
+popd >/dev/null
+
+echo "sealed CI smoke complete; logs at $LOGDIR"

ops/devops/export/minio-compose.yml

@@ -0,0 +1,21 @@
+version: '3.8'
+services:
+  minio:
+    image: minio/minio:RELEASE.2024-10-08T09-56-18Z
+    command: server /data --console-address ":9001"
+    environment:
+      MINIO_ROOT_USER: exportci
+      MINIO_ROOT_PASSWORD: exportci123
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    volumes:
+      - minio-data:/data
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+volumes:
+  minio-data:
+    driver: local

ops/devops/export/seed-minio.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+MINIO_ENDPOINT=${MINIO_ENDPOINT:-http://localhost:9000}
+MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY:-exportci}
+MINIO_SECRET_KEY=${MINIO_SECRET_KEY:-exportci123}
+BUCKET=${BUCKET:-export-ci}
+TMP=$(mktemp)
+cleanup(){ rm -f "$TMP"; }
+trap cleanup EXIT
+
+cat > "$TMP" <<'DATA'
+{"id":"exp-001","object":"s3://export-ci/sample-export.ndjson","status":"ready"}
+DATA
+
+export AWS_ACCESS_KEY_ID="$MINIO_ACCESS_KEY"
+export AWS_SECRET_ACCESS_KEY="$MINIO_SECRET_KEY"
+export AWS_EC2_METADATA_DISABLED=true
+
+if ! aws --endpoint-url "$MINIO_ENDPOINT" s3 ls "s3://$BUCKET" >/dev/null 2>&1; then
+  aws --endpoint-url "$MINIO_ENDPOINT" s3 mb "s3://$BUCKET"
+fi
+aws --endpoint-url "$MINIO_ENDPOINT" s3 cp "$TMP" "s3://$BUCKET/sample-export.ndjson"
+echo "Seeded $BUCKET/sample-export.ndjson"