# Export AirGap Prep — PREP-EXPORT-AIRGAP-56-002 Status: **Ready for implementation** (2025-11-20) Owners: Exporter Service Guild · DevOps Guild Scope: Bootstrap pack (images + charts) packaging for air-gap deploys, dependent on 56-001 evidence/mirror bundle inputs. ## Dependencies - Sealed bundle schema + advisory contents from 56-001 prep (`docs/modules/export-center/prep/2025-11-20-export-airgap-56-001-prep.md`). - Mirror/DevOps deployment expectations (values-airgap.yaml) to place bootstrap packs. ## Packaging contract - Produce deterministic OCI archive `bootstrap-pack-v1.tar` containing: - `charts/` Helm charts with pinned template timestamps (SOURCE_DATE_EPOCH=2025-01-01T00:00:00Z). - `images/` directory with referenced container layers/blobs; `manifest.json` aligning with `index.json` (OCI image layout). - `signatures/` optional DSSE/TUF metadata if provided by 56-001. - Tarball is gzip-compressed with mtime pinned to `2025-01-01T00:00:00Z`, `0644` perms, uid/gid 0. - Checksums: `bootstrap-pack-v1.tar.sha256` with `sha256 bootstrap-pack-v1.tar` exactly. ## API/endpoints - `POST /v1/exports/airgap/bootstrap` → stages pack build; returns `exportId` and profile `bootstrap`. - `GET /v1/exports/airgap/bootstrap/{exportId}` → status + `downloadUri`, `rootHash`, `artifactSha256`. - `GET /v1/exports/airgap/bootstrap/{exportId}/download` → serves `application/gzip` tarball; `ETag` = SHA-256. - Auth scopes: `export:write` for POST; `export:read` for GET/Download. ## Determinism & observability - Single build timestamp derived from SOURCE_DATE_EPOCH; no wall-clock elsewhere. - Structured logs `{exportId, profile:"bootstrap", rootHash, artifactSha256}`; metrics `export.bootstrap.completed`, `export.bootstrap.duration_ms`. ## Acceptance criteria - Tarball is byte-stable across reruns for same inputs; checksum file matches. - Status/download endpoints documented with headers (`ETag`, `Last-Modified`, quota headers). - Bootstrap pack content references evidence/mirror bundles from 56-001 (by digest/URL) without re-signing. ## Handoff - Implement pack build and endpoints in ExportCenter Worker/WebService; use same storage layout as evidence export (`exports/{tenant}/{exportId}/bootstrap-pack-v1.tar`). - Update Sprint 0162 Delivery Tracker entry P3 to DONE when contract is published.