Portable Audit Pack CLI Runbook

Status: Target behavior for implementation sprint handoff (2026-02-10).

Objective

Define expected parity between generation and verification CLI flows for portable audit packs in connected and air-gapped environments.

Export workflow (target)

stella auditpack export \
  --artifact myorg/myapp@sha256:<digest> \
  --bom sbom.json \
  --vex vex/*.json \
  --out artifact-audit-pack.tzst \
  --profile portable-v1 \
  --rekor-tiles fetch \
  --sign-key ed25519:stella-bom-signer@2026Q1

Expected behavior:

Emits manifest conforming to portable-audit-pack-manifest.v1.schema.json.
Produces deterministic archive metadata and ordered contents.
Emits stable machine-readable summary ordered by file path.

Verify workflow (target)

stella auditpack verify artifact-audit-pack.tzst --offline --profile portable-v1

Required checks:

Manifest signature verification.
File digest and size verification.
DSSE payload digest binding verification.
Rekor inclusion/root verification from bundled material.
Optional Parquet fingerprint verification when present.

Output contract

Human output grouped in fixed order: manifest -> file digests -> DSSE -> Rekor -> optional index.
JSON output fields sorted lexicographically for deterministic diffing.
Non-zero exit and stable error codes on first failure.

Air-gap operator sequence

Transfer bundle to offline verifier host.
Run stella auditpack verify ... --offline.
Archive verification output with audit evidence.
Record profile version and verifier key IDs in release record.

Documentation dependency

Keep this runbook aligned with:
- portable-audit-pack-contract.md
- portable-audit-pack-rekor-offline.md
- portable-audit-pack-test-matrix.md

1.8 KiB Raw Blame History