# AOC Backfill Release Plan (DEVOPS-STORE-AOC-19-005-REL) Scope: Release/offline-kit packaging for Concelier AOC backfill operations. ## Prerequisites - Dataset hash from dev rehearsal (AOC-19-005 dev outputs) - AOC guard tests passing (DEVOPS-AOC-19-001/002/003 - DONE) - Supersedes rollout plan reviewed (ops/devops/aoc/supersedes-rollout.md) ## Artefacts - Backfill runner bundle: - `aoc-backfill-runner.tar.gz` - CLI tool + scripts - `aoc-backfill-runner.sbom.json` - SPDX SBOM - `aoc-backfill-runner.dsse.json` - Cosign attestation - Dataset bundle: - `aoc-dataset-{hash}.tar.gz` - Seeded dataset - `aoc-dataset-{hash}.manifest.json` - Manifest with checksums - `aoc-dataset-{hash}.provenance.json` - SLSA provenance - Offline kit slice: - All above + SHA256SUMS + verification scripts ## Packaging Script ```bash # Production (CI with secrets) ./ops/devops/aoc/package-backfill-release.sh # Development (dev key) COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \ DATASET_HASH=dev-rehearsal-placeholder \ ./ops/devops/aoc/package-backfill-release.sh ``` ## Pipeline Outline 1) Build backfill runner from `src/Aoc/StellaOps.Aoc.Cli/` 2) Generate SBOM with syft 3) Sign with cosign (dev key fallback) 4) Package dataset (when hash available) 5) Create offline bundle with checksums 6) Verification: - `stella aoc verify --dry-run` - `cosign verify-blob` for all bundles - `sha256sum --check` 7) Publish to release bucket + offline kit ## Runbook 1) Validate AOC guard tests pass in CI 2) Run dev rehearsal with test dataset 3) Capture dataset hash from rehearsal 4) Execute packaging script with production key 5) Verify all signatures and checksums 6) Upload to release bucket 7) Include in offline kit manifest ## CI Workflow `.gitea/workflows/aoc-backfill-release.yml` ## Verification ```bash # Verify bundle signatures cosign verify-blob \ --key tools/cosign/cosign.dev.pub \ --bundle out/aoc/aoc-backfill-runner.dsse.json \ out/aoc/aoc-backfill-runner.tar.gz # Verify checksums cd out/aoc && sha256sum -c SHA256SUMS ``` ## Owners - DevOps Guild (pipeline + packaging) - Concelier Storage Guild (dataset + backfill logic) - Platform Security (signing policy)