5a480a3c2a
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Reachability Corpus Validation / validate-corpus (push) Has been cancelled
Reachability Corpus Validation / validate-ground-truths (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Reachability Corpus Validation / determinism-check (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
- Introduced `all-edge-reasons.json` to test edge resolution reasons in .NET. - Added `all-visibility-levels.json` to validate method visibility levels in .NET. - Created `dotnet-aspnetcore-minimal.json` for a minimal ASP.NET Core application. - Included `go-gin-api.json` for a Go Gin API application structure. - Added `java-spring-boot.json` for the Spring PetClinic application in Java. - Introduced `legacy-no-schema.json` for legacy application structure without schema. - Created `node-express-api.json` for an Express.js API application structure.
2.0 KiB
2.0 KiB
CLI Airgap Guide (DOCS-AIRGAP-57-003)
Offline/air-gapped usage patterns for the Stella CLI.
Offline kit commands
- Import an offline kit (local verification + activation)
stella offline import \ --bundle ./bundle-2025-12-14.tar.zst \ --verify-dsse \ --verify-rekor \ --trust-root /evidence/keys/roots/stella-root.pub - Check current offline kit status
stella offline status --output table
Prerequisites
- CLI installed from offline bundle;
local-nugets/and cached plugins available. - Mirror/Bootstrap bundles staged locally; no external network required.
- Set
STELLA_OFFLINE=trueto prevent outbound fetches.
Common commands
- Validate mirror bundle
stella airgap verify-bundle /mnt/media/mirror.tar \ --manifest /mnt/media/manifest.json \ --trust-root /opt/stella/trust/mirror-root.pem - Import bundle into local registry
stella airgap import --bundle /mnt/media/mirror.tar --generation 12 - Check sealed mode status
stella airgap status - List bundles and staleness
stella airgap list --format table
Determinism & offline rules
- Commands must succeed without egress; any outbound attempt is a bug—report with logs.
- Hashes and signatures are verified locally using bundled trust roots; no OCSP/CRL.
- Outputs are stable JSON/NDJSON; timestamps use UTC.
Exit codes
0success2validation failed (hash/signature mismatch)3sealed-mode violation (unexpected egress attempted)4input/argument error>4unexpected error (inspect logs)
Logs
- Default stderr structured JSON: includes
tenant,bundleId,mirrorGeneration,sealedflag. - For audits, use
--log-file /var/log/stella/airgap.log --log-format json.
Tips
- Keep bundles on read-only media to avoid hash drift.
- Use
--dry-runto validate without writing to registries. - Pair with
docs/airgap/overview.mdanddocs/airgap/sealing-and-egress.mdfor policy context.