stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
d519782a8f0b30f425c9b6ae0f316b19259972a2
git.stella-ops.org/docs/modules/export-center/prep/2025-11-20-export-attest-74-002-prep.md
master d519782a8f
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
prep docs and service updates
2025-11-21 06:56:36 +00:00

2.6 KiB
Raw Blame History

Export Attestation Prep — PREP-EXPORT-ATTEST-74-002

Status: Ready for implementation (2025-11-20) Owners: Attestation Bundle Guild · DevOps Guild Scope: Integrate attestation export bundle job (74-001) into CI/offline kit packaging, publish checksums, and ensure deterministic artefact promotion.

Dependencies

  • Export bundle contract v1 from 74-001: docs/modules/export-center/prep/2025-11-20-export-attest-74-001-prep.md.
  • EvidenceLocker/Attestor attestation format (DSSE) — no re-signing allowed.
  • Air-gap kit structure (mirror/bootstrap packs) from Sprint 160/56-002 for placement of attestation bundles.

CI/offline kit integration contract

  • Build step: Invoke ExportCenter job for targeted attestationId and stage export-attestation-bundle-v1.tgz under out/export/attestations/{exportId}/.
  • Checksum publication: emit export-attestation-bundle-v1.tgz.sha256 alongside the archive; contents sha256 filename with filename exactly export-attestation-bundle-v1.tgz.
  • Offline kit layout: 
    offline-kit/
  checksums/
    attestations/
      export-attestation-bundle-v1.tgz.sha256
  attestations/
    export-attestation-bundle-v1.tgz
  • Promotion: artefacts are immutable; CI publishes to out/export/offline-kits/{kitVersion}/ with write-once semantics. Promotion between environments copies bytes; no rebuilds.
  • Metadata: append to out/export/offline-kits/{kitVersion}/manifest.json: 
    {
  "kind": "attestation-export",
  "exportId": "...",
  "attestationId": "...",
  "rootHash": "sha256:...",
  "artifact": "attestations/export-attestation-bundle-v1.tgz",
  "checksum": "checksums/attestations/export-attestation-bundle-v1.tgz.sha256",
  "createdAt": "2025-11-20T00:00:00Z"
}
  • Determinism: CI must set SOURCE_DATE_EPOCH=1735689600 (2025-01-01T00:00:00Z) for any tar/gzip operations when re-wrapping kits; do not re-tar the inner export bundle.

Acceptance criteria

  • Export bundle generated by 74-001 is copied bit-for-bit into the offline kit; SHA256 in checksums file matches archive and manifest.json entry.
  • Kit manifest contains the attestation entry with UTC timestamp and root hash; promotion produces identical bytes across runs.
  • CI logs include the exportId and SHA256; failures stop the pipeline and do not overwrite prior artefacts.

Handoff

  • Wire CI/packaging scripts in ExportCenter DevOps pipeline to consume the 74-001 export endpoint and assemble offline kit layout above.
  • Update Sprint 0162 Delivery Tracker entry P7 with status changes when implemented.