# Export Attestation Prep — PREP-EXPORT-ATTEST-74-002 Status: **Ready for implementation** (2025-11-20) Owners: Attestation Bundle Guild · DevOps Guild Scope: Integrate attestation export bundle job (74-001) into CI/offline kit packaging, publish checksums, and ensure deterministic artefact promotion. ## Dependencies - Export bundle contract v1 from 74-001: `docs/modules/export-center/prep/2025-11-20-export-attest-74-001-prep.md`. - EvidenceLocker/Attestor attestation format (DSSE) — no re-signing allowed. - Air-gap kit structure (mirror/bootstrap packs) from Sprint 160/56-002 for placement of attestation bundles. ## CI/offline kit integration contract - **Build step**: Invoke ExportCenter job for targeted `attestationId` and stage `export-attestation-bundle-v1.tgz` under `out/export/attestations/{exportId}/`. - **Checksum publication**: emit `export-attestation-bundle-v1.tgz.sha256` alongside the archive; contents `sha256 filename` with filename exactly `export-attestation-bundle-v1.tgz`. - **Offline kit layout**: ``` offline-kit/ checksums/ attestations/ export-attestation-bundle-v1.tgz.sha256 attestations/ export-attestation-bundle-v1.tgz ``` - **Promotion**: artefacts are immutable; CI publishes to `out/export/offline-kits/{kitVersion}/` with write-once semantics. Promotion between environments copies bytes; no rebuilds. - **Metadata**: append to `out/export/offline-kits/{kitVersion}/manifest.json`: ```json { "kind": "attestation-export", "exportId": "...", "attestationId": "...", "rootHash": "sha256:...", "artifact": "attestations/export-attestation-bundle-v1.tgz", "checksum": "checksums/attestations/export-attestation-bundle-v1.tgz.sha256", "createdAt": "2025-11-20T00:00:00Z" } ``` - **Determinism**: CI must set `SOURCE_DATE_EPOCH=1735689600` (2025-01-01T00:00:00Z) for any tar/gzip operations when re-wrapping kits; do not re-tar the inner export bundle. ## Acceptance criteria - Export bundle generated by 74-001 is copied bit-for-bit into the offline kit; SHA256 in checksums file matches archive and `manifest.json` entry. - Kit manifest contains the attestation entry with UTC timestamp and root hash; promotion produces identical bytes across runs. - CI logs include the exportId and SHA256; failures stop the pipeline and do not overwrite prior artefacts. ## Handoff - Wire CI/packaging scripts in ExportCenter DevOps pipeline to consume the 74-001 export endpoint and assemble offline kit layout above. - Update Sprint 0162 Delivery Tracker entry P7 with status changes when implemented.