git.stella-ops.org/docs/airgap/bootstrap.md

# Bootstrap Pack (Airgap 56-004)

Guidance to build and install the bootstrap pack that primes sealed environments.

## Contents
- Core images/charts for platform services (Authority, Excititor, Concelier, Export Center, Scheduler) with digests.
- Offline NuGet/npm caches (if permitted) with checksum manifest.
- Configuration defaults: sealed-mode toggles, trust roots, time-anchor bundle, network policy presets.
- Verification scripts: hash check, DSSE verification (if available), and connectivity probes to local mirrors.

## Build steps
1. Gather image digests and charts from trusted registry/mirror.
2. Create `bootstrap-manifest.json` with:
   - `bundleId`, `createdAt` (UTC), `producer`, `mirrorGeneration`
   - `files[]` (path, sha256, size, mediaType)
   - optional `dsseEnvelopeHash`
3. Package into tarball with deterministic ordering (POSIX tar, sorted paths, numeric owner 0:0).
4. Compute sha256 for tarball; record in manifest.

## Install steps
1. Transfer pack to sealed site (removable media).
2. Verify tarball hash and DSSE (if present) using offline trust roots.
3. Load images/charts into local registry; preload caches to `local-nugets/` etc.
4. Apply network policies (deny-all) and sealed-mode config.
5. Register bootstrap manifest and mirrorGeneration with Excititor/Export Center.

## Determinism & rollback
- Keep manifests in ISO-8601 UTC; no host-specific metadata in tar headers.
- For rollback, retain previous bootstrap tarball + manifest; restore registry contents and config snapshots.

## Related
- `docs/airgap/mirror-bundles.md` — mirror pack format and validation.
- `docs/airgap/sealing-and-egress.md` — egress enforcement used during install.