stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
dd98d6c3f6c80c4e04cddb4a4427f077ab6d19d4
git.stella-ops.org/docs/modules/cli/guides/airgap.md
master 7943cfb3af chore(docs+devops): cross-module doc sync + sprint archival moves + compose updates 
Bundled pre-session doc + ops work:
- docs/modules/**: sync across advisory-ai, airgap, cli, excititor,
  export-center, findings-ledger, notifier, notify, platform, router,
  sbom-service, ui, web (architectural + operational updates)
- docs/features/**: updates to checked excititor vex pipeline,
  developer workspace, quick verify drawer
- docs top-level: README, quickstart, API_CLI_REFERENCE, UI_GUIDE,
  code-of-conduct/TESTING_PRACTICES updates
- docs/qa/feature-checks/: FLOW.md + excititor state update
- docs/implplan/: remaining sprint updates + new Concelier source
  credentials sprint (SPRINT_20260422_003)
- docs-archived/implplan/: 30 sprint archival moves (ElkSharp series,
  misc completed sprints)
- devops/compose: .env + services compose + env example + router gateway
  config updates

File-level granularity preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 16:06:39 +03:00

66 lines
2.4 KiB
Markdown
Raw Blame History

# CLI Airgap Guide (DOCS-AIRGAP-57-003)
Offline/air-gapped usage patterns for the Stella CLI.
## Offline kit commands
- Import an offline kit (local verification + activation)
```bash
stella offline import \
--bundle ./bundle-2025-12-14.tar.zst \
--verify-dsse \
--verify-rekor \
--trust-root /evidence/keys/roots/stella-root.pub
```
- Check current offline kit status
```bash
stella offline status --output table
```
## Prerequisites
- CLI installed from offline bundle; `local-nugets/` and cached plugins available.
- Mirror/Bootstrap bundles staged locally; no external network required.
- Set `STELLA_OFFLINE=true` to prevent outbound fetches.
## Common commands
- Validate mirror bundle
```bash
stella airgap verify-bundle /mnt/media/mirror.tar \
--manifest /mnt/media/manifest.json \
--trust-root /opt/stella/trust/mirror-root.pem
```
- Import bundle into local registry
```bash
stella airgap import --bundle /mnt/media/mirror.tar --generation 12
```
Imported mirror-bundle metadata is written durably under `%LocalApplicationData%/stellaops/offline-kit/state/mirror-bundles`, so the import history survives fresh CLI processes instead of relying on process-local memory.
- Check sealed mode status
```bash
stella airgap status
```
- List bundles and staleness
```bash
stella airgap list --format table
```
## Determinism & offline rules
- Commands must succeed without egress; any outbound attempt is a bug—report with logs.
- Hashes and signatures are verified locally using bundled trust roots; no OCSP/CRL.
- Outputs are stable JSON/NDJSON; timestamps use UTC.
- Mirror-bundle import metadata is persisted locally with deterministic ordinal ordering for content paths and bundle items.
## Exit codes
- `0` success
- `2` validation failed (hash/signature mismatch)
- `3` sealed-mode violation (unexpected egress attempted)
- `4` input/argument error
- `>4` unexpected error (inspect logs)
## Logs
- Default stderr structured JSON: includes `tenant`, `bundleId`, `mirrorGeneration`, `sealed` flag.
- For audits, use `--log-file /var/log/stella/airgap.log --log-format json`.
## Tips
- Keep bundles on read-only media to avoid hash drift.
- Use `--dry-run` to validate without writing to registries.
- Pair with `docs/modules/airgap/guides/overview.md` and `docs/modules/airgap/guides/sealing-and-egress.md` for policy context.
Reference in New Issue View Git Blame Copy Permalink