stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
51f9b798ed950c8afed8a690e0765d127c388653
git.stella-ops.org/docs/modules/cli/guides/airgap.md
master 7943cfb3af chore(docs+devops): cross-module doc sync + sprint archival moves + compose updates 
Bundled pre-session doc + ops work:
- docs/modules/**: sync across advisory-ai, airgap, cli, excititor,
  export-center, findings-ledger, notifier, notify, platform, router,
  sbom-service, ui, web (architectural + operational updates)
- docs/features/**: updates to checked excititor vex pipeline,
  developer workspace, quick verify drawer
- docs top-level: README, quickstart, API_CLI_REFERENCE, UI_GUIDE,
  code-of-conduct/TESTING_PRACTICES updates
- docs/qa/feature-checks/: FLOW.md + excititor state update
- docs/implplan/: remaining sprint updates + new Concelier source
  credentials sprint (SPRINT_20260422_003)
- docs-archived/implplan/: 30 sprint archival moves (ElkSharp series,
  misc completed sprints)
- devops/compose: .env + services compose + env example + router gateway
  config updates

File-level granularity preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 16:06:39 +03:00

2.4 KiB
Raw Blame History

CLI Airgap Guide (DOCS-AIRGAP-57-003)

Offline/air-gapped usage patterns for the Stella CLI.

Offline kit commands

  • Import an offline kit (local verification + activation) 
    stella offline import \
  --bundle ./bundle-2025-12-14.tar.zst \
  --verify-dsse \
  --verify-rekor \
  --trust-root /evidence/keys/roots/stella-root.pub
  • Check current offline kit status 
    stella offline status --output table

Prerequisites

  • CLI installed from offline bundle; local-nugets/ and cached plugins available.
  • Mirror/Bootstrap bundles staged locally; no external network required.
  • Set STELLA_OFFLINE=true to prevent outbound fetches.

Common commands

  • Validate mirror bundle 
    stella airgap verify-bundle /mnt/media/mirror.tar \
  --manifest /mnt/media/manifest.json \
  --trust-root /opt/stella/trust/mirror-root.pem
  • Import bundle into local registry 
    stella airgap import --bundle /mnt/media/mirror.tar --generation 12
    Imported mirror-bundle metadata is written durably under %LocalApplicationData%/stellaops/offline-kit/state/mirror-bundles, so the import history survives fresh CLI processes instead of relying on process-local memory.
  • Check sealed mode status 
    stella airgap status
  • List bundles and staleness 
    stella airgap list --format table

Determinism & offline rules

  • Commands must succeed without egress; any outbound attempt is a bug—report with logs.
  • Hashes and signatures are verified locally using bundled trust roots; no OCSP/CRL.
  • Outputs are stable JSON/NDJSON; timestamps use UTC.
  • Mirror-bundle import metadata is persisted locally with deterministic ordinal ordering for content paths and bundle items.

Exit codes

  • 0 success
  • 2 validation failed (hash/signature mismatch)
  • 3 sealed-mode violation (unexpected egress attempted)
  • 4 input/argument error
  • >4 unexpected error (inspect logs)

Logs

  • Default stderr structured JSON: includes tenant, bundleId, mirrorGeneration, sealed flag.
  • For audits, use --log-file /var/log/stella/airgap.log --log-format json.

Tips

  • Keep bundles on read-only media to avoid hash drift.
  • Use --dry-run to validate without writing to registries.
  • Pair with docs/modules/airgap/guides/overview.md and docs/modules/airgap/guides/sealing-and-egress.md for policy context.