# DevPortal Offline Prep — PREP-DVOFF-64-002

Status: **Ready for implementation** (2025-11-20)
Owners: DevPortal Offline Guild · AirGap Controller Guild
Scope: Define sealed bundle sample + CLI verify flow for DevPortal offline verification (`stella devportal verify bundle.tgz`).

## Required inputs
- EvidenceLocker sealed bundle contract: `docs/modules/evidence-locker/bundle-packaging.md` (bundle.tgz layout, determinism).
- Portable bundle guidance: `docs/airgap/portable-evidence.md` (for redacted flow).

## Sample artefacts to publish
- `out/devportal/samples/bundle.tgz` — copy of EvidenceLocker sealed bundle (write-once).
- `out/devportal/samples/bundle.tgz.sha256` — `sha256  bundle.tgz` line.
- `out/devportal/samples/verify-report.json` — expected CLI JSON output after verification (see below).

## CLI verification flow (contract)
- Command: `stella devportal verify --bundle bundle.tgz --offline`
- Steps performed:
  1) Validate SHA-256 against `.sha256` file.
  2) Extract `manifest.json`, `signature.json`, `bundle.json`, `checksums.txt` (no rewrite).
  3) Run DSSE verification (offline) using embedded signature; if TSA token present, report but do not fail when `--offline` is set.
  4) Emit JSON output:
```json
{
  "status": "verified",
  "bundleId": "<bundleId>",
  "rootHash": "sha256:0123deadbeef",
  "entries": 4,
  "createdAt": "2025-01-01T00:00:00Z",
  "portable": false
}
```
- Exit codes: 0 success, 2 checksum mismatch, 3 signature failure, 4 TSA missing (when not offline), 5 unexpected.
- Determinism: no network calls when `--offline`; output JSON keys sorted.

## Acceptance criteria
- Sample bundle and .sha256 published under `out/devportal/samples/` with hashes listed in this sprint.
- CLI flow documented above; exit codes and sample JSON provided.
- Prep doc linked from Sprint 0162 P1 and DevPortal docs when implemented.

## Next steps
- Publish the sample bundle + hashes; update sprint Delivery Tracker to DONE once artifacts exist.