# Concelier mirror/offline export path (dev baseline)

Goal: serve advisory chunks and provenance via the existing `/concelier/exports/mirror/*` endpoints without blocking on release signing/DevOps pipelines.

## Minimal layout (dev)
Point `CONCELIER_MIRROR__EXPORTROOT` at a directory that contains:

```
<exportId>/
  mirror/
    index.json
    <domain>/manifest.json
    <domain>/bundle.json
    <domain>/bundle.json.jws   (optional; unsigned in dev)
```

Example generator (dev):
```
EXPORTROOT=out/concelier/exports
EXPORTID=$(date -u +%Y%m%dT%H%M%SZ)
DOMAIN=primary
mkdir -p "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN"
cat > "$EXPORTROOT/$EXPORTID/mirror/index.json" <<'JSON'
{"schemaVersion":1,"domains":[{"id":"primary","displayName":"Primary"}]}
JSON
cat > "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN/manifest.json" <<'JSON'
{"domainId":"primary","created":"2025-11-23T00:00:00Z","schemaVersion":1,"advisories":0}
JSON
# Placeholder bundle built from canonical chunks; replace with real export job output
echo '{"advisories":[]}' > "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN/bundle.json"
echo 'unsigned-dev-bundle' > "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN/bundle.json.jws"
ln -sfn "$EXPORTID" "$EXPORTROOT/latest"
```

Configure Concelier to serve it:
```
CONCELIER_MIRROR__ENABLED=true
CONCELIER_MIRROR__EXPORTROOT=out/concelier/exports
CONCELIER_MIRROR__ACTIVEEXPORTID=<exportId>   # optional; falls back to latest
CONCELIER_MIRROR__DOMAINS__0__ID=primary
CONCELIER_MIRROR__DOMAINS__0__DISPLAYNAME=Primary
CONCELIER_MIRROR__DOMAINS__0__REQUIREAUTHENTICATION=false
```

With this in place, the existing endpoints return:
- `/concelier/exports/index.json`
- `/concelier/exports/mirror/primary/manifest.json`
- `/concelier/exports/mirror/primary/bundle.json` (and `.jws`)

## Why this unblocks development
- Uses the canonical chunk schema already emitted by CONCELIER-LNM-21-001.
- Requires no release signing; works with unsigned dev bundles.
- Keeps path and filenames identical to planned release layout, so DevOps can later layer signing/TUF in a separate sprint.

## Next (DevOps) step
- `DEVOPS-MIRROR-23-001-REL` will replace the placeholder bundle generator with the signed/exported artefact pipeline and enforce DSSE/TUF.