44171930ff
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
- Introduced `ui_bench_driver.mjs` to read scenarios and fixture manifest, generating a deterministic run plan. - Created `ui_bench_plan.md` outlining the purpose, scope, and next steps for the benchmark. - Added `ui_bench_scenarios.json` containing various scenarios for graph UI interactions. - Implemented tests for CLI commands, ensuring bundle verification and telemetry defaults. - Developed schemas for orchestrator components, including replay manifests and event envelopes. - Added mock API for risk management, including listing and statistics functionalities. - Implemented models for risk profiles and query options to support the new API.
16 lines
895 B
Markdown
16 lines
895 B
Markdown
# CLI Install & Update Integrity (v1) — 2025-12-01
|
|
|
|
Requirements
|
|
- Checksums: Every release publishes `stellaops-cli-$version.tar.zst` with `SHA256SUMS` + detached `.sig`.
|
|
- Verification: `stella install` and `stella self-update` run `cosign verify` by default against pinned public key fingerprint; `--skip-verify` prohibited.
|
|
- Offline: Provide `install-offline.sh` that reads from kit directory with checksum + signature checks only; no network fetches.
|
|
- Buildx plugin: pin image digest (see `cli-spec-v1.yaml`); rollback command included in help.
|
|
|
|
Failure modes
|
|
- Missing checksum/signature → command fails with exit code 21 and structured error.
|
|
- Digest mismatch → command fails with exit code 22; log path to offending file.
|
|
|
|
Artifacts
|
|
- Public key fingerprints recorded in `cli-spec-v1.yaml`.
|
|
- Example verify script to be bundled in release kit: `scripts/cli/verify-install.sh`.
|