stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
32f9581aa7cc68c2b1697e058efe5e05f9d54006
git.stella-ops.org/devops/services/ledger/packs-infrastructure.md
StellaOps Bot c786faae84 CD/CD consolidation
2025-12-26 18:11:06 +02:00

1.5 KiB
Raw Blame History

Findings Ledger Packs Infrastructure

Scope

Infrastructure for snapshot/time-travel export packaging and signing.

Tasks Covered

  • DEVOPS-LEDGER-PACKS-42-001-REL: Snapshot/time-travel export packaging
  • DEVOPS-LEDGER-PACKS-42-002-REL: Pack signing + integrity verification

Components

1. Pack Builder

Creates deterministic export packs from Ledger snapshots.

# Build pack from snapshot
./ops/devops/ledger/build-pack.sh --snapshot-id <id> --output out/ledger/packs/

# Dev mode with signing
COSIGN_ALLOW_DEV_KEY=1 ./ops/devops/ledger/build-pack.sh --sign

2. Pack Verifier

Verifies pack integrity and signatures.

# Verify pack
./ops/devops/ledger/verify-pack.sh out/ledger/packs/snapshot-*.pack.tar.gz

3. Time-Travel Export

Creates point-in-time exports for compliance/audit.

# Export at specific timestamp
./ops/devops/ledger/time-travel-export.sh --timestamp 2025-12-01T00:00:00Z

Pack Format

snapshot-<id>.pack.tar.gz
├── manifest.json          # Pack metadata + checksums
├── findings/              # Finding records (NDJSON)
├── metadata/              # Scan metadata
├── provenance.json        # SLSA provenance
└── signatures/
    ├── manifest.dsse.json # DSSE signature
    └── SHA256SUMS         # Checksums

CI Workflows

  • ledger-packs-ci.yml - Build and verify packs
  • ledger-packs-release.yml - Sign and publish packs

Prerequisites

  • Ledger snapshot schema finalized
  • Storage contract defined
  • Pack format specification