git.stella-ops.org/devops/services/ledger/packs-infrastructure.md

# Findings Ledger Packs Infrastructure

## Scope
Infrastructure for snapshot/time-travel export packaging and signing.

## Tasks Covered
- DEVOPS-LEDGER-PACKS-42-001-REL: Snapshot/time-travel export packaging
- DEVOPS-LEDGER-PACKS-42-002-REL: Pack signing + integrity verification

## Components

### 1. Pack Builder
Creates deterministic export packs from Ledger snapshots.

```bash
# Build pack from snapshot
./ops/devops/ledger/build-pack.sh --snapshot-id <id> --output out/ledger/packs/

# Dev mode with signing
COSIGN_ALLOW_DEV_KEY=1 ./ops/devops/ledger/build-pack.sh --sign
```

### 2. Pack Verifier
Verifies pack integrity and signatures.

```bash
# Verify pack
./ops/devops/ledger/verify-pack.sh out/ledger/packs/snapshot-*.pack.tar.gz
```

### 3. Time-Travel Export
Creates point-in-time exports for compliance/audit.

```bash
# Export at specific timestamp
./ops/devops/ledger/time-travel-export.sh --timestamp 2025-12-01T00:00:00Z
```

## Pack Format
```
snapshot-<id>.pack.tar.gz
├── manifest.json          # Pack metadata + checksums
├── findings/              # Finding records (NDJSON)
├── metadata/              # Scan metadata
├── provenance.json        # SLSA provenance
└── signatures/
    ├── manifest.dsse.json # DSSE signature
    └── SHA256SUMS         # Checksums
```

## CI Workflows
- `ledger-packs-ci.yml` - Build and verify packs
- `ledger-packs-release.yml` - Sign and publish packs

## Prerequisites
- Ledger snapshot schema finalized
- Storage contract defined
- Pack format specification