DevPortal Offline Prep — PREP-DVOFF-64-002

Status: Ready for implementation (2025-11-20) Owners: DevPortal Offline Guild · AirGap Controller Guild Scope: Define sealed bundle sample + CLI verify flow for DevPortal offline verification (stella devportal verify bundle.tgz).

Required inputs

EvidenceLocker sealed bundle contract: docs/modules/evidence-locker/bundle-packaging.md (bundle.tgz layout, determinism).
Portable bundle guidance: docs/airgap/portable-evidence.md (for redacted flow).

Sample artefacts to publish

out/devportal/samples/bundle.tgz — copy of EvidenceLocker sealed bundle (write-once).
out/devportal/samples/bundle.tgz.sha256 — sha256 bundle.tgz line.
out/devportal/samples/verify-report.json — expected CLI JSON output after verification (see below).

CLI verification flow (contract)

Command: stella devportal verify --bundle bundle.tgz --offline
Steps performed:
1. Validate SHA-256 against .sha256 file.
2. Extract manifest.json, signature.json, bundle.json, checksums.txt (no rewrite).
3. Run DSSE verification (offline) using embedded signature; if TSA token present, report but do not fail when --offline is set.
4. Emit JSON output:

{
  "status": "verified",
  "bundleId": "<bundleId>",
  "rootHash": "sha256:0123deadbeef",
  "entries": 4,
  "createdAt": "2025-01-01T00:00:00Z",
  "portable": false
}

Exit codes: 0 success, 2 checksum mismatch, 3 signature failure, 4 TSA missing (when not offline), 5 unexpected.
Determinism: no network calls when --offline; output JSON keys sorted.

Acceptance criteria

Sample bundle and .sha256 published under out/devportal/samples/ with hashes listed in this sprint.
CLI flow documented above; exit codes and sample JSON provided.
Prep doc linked from Sprint 0162 P1 and DevPortal docs when implemented.

Next steps

Publish the sample bundle + hashes; update sprint Delivery Tracker to DONE once artifacts exist.

1.9 KiB Raw Blame History