stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/concelier/mirror-export.md
StellaOps Bot 029002ad05 work
2025-11-23 23:40:10 +02:00

2.2 KiB
Raw Blame History

Concelier mirror/offline export path (dev baseline)

Goal: serve advisory chunks and provenance via the existing /concelier/exports/mirror/* endpoints without blocking on release signing/DevOps pipelines.

Minimal layout (dev)

Point CONCELIER_MIRROR__EXPORTROOT at a directory that contains:

<exportId>/
  mirror/
    index.json
    <domain>/manifest.json
    <domain>/bundle.json
    <domain>/bundle.json.jws   (optional; unsigned in dev)

Example generator (dev):

EXPORTROOT=out/concelier/exports
EXPORTID=$(date -u +%Y%m%dT%H%M%SZ)
DOMAIN=primary
mkdir -p "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN"
cat > "$EXPORTROOT/$EXPORTID/mirror/index.json" <<'JSON'
{"schemaVersion":1,"domains":[{"id":"primary","displayName":"Primary"}]}
JSON
cat > "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN/manifest.json" <<'JSON'
{"domainId":"primary","created":"2025-11-23T00:00:00Z","schemaVersion":1,"advisories":0}
JSON
# Placeholder bundle built from canonical chunks; replace with real export job output
echo '{"advisories":[]}' > "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN/bundle.json"
echo 'unsigned-dev-bundle' > "$EXPORTROOT/$EXPORTID/mirror/$DOMAIN/bundle.json.jws"
ln -sfn "$EXPORTID" "$EXPORTROOT/latest"

Configure Concelier to serve it:

CONCELIER_MIRROR__ENABLED=true
CONCELIER_MIRROR__EXPORTROOT=out/concelier/exports
CONCELIER_MIRROR__ACTIVEEXPORTID=<exportId>   # optional; falls back to latest
CONCELIER_MIRROR__DOMAINS__0__ID=primary
CONCELIER_MIRROR__DOMAINS__0__DISPLAYNAME=Primary
CONCELIER_MIRROR__DOMAINS__0__REQUIREAUTHENTICATION=false

With this in place, the existing endpoints return:

  • /concelier/exports/index.json
  • /concelier/exports/mirror/primary/manifest.json
  • /concelier/exports/mirror/primary/bundle.json (and .jws)

Why this unblocks development

  • Uses the canonical chunk schema already emitted by CONCELIER-LNM-21-001.
  • Requires no release signing; works with unsigned dev bundles.
  • Keeps path and filenames identical to planned release layout, so DevOps can later layer signing/TUF in a separate sprint.

Next (DevOps) step

  • DEVOPS-MIRROR-23-001-REL will replace the placeholder bundle generator with the signed/exported artefact pipeline and enforce DSSE/TUF.