Run Stella Ops on Air‑Gapped Networks
One signed bundle delivers feeds, images, and provenance so the same Stella Ops experience works behind the strictest perimeter.
1 · What’s inside
Curated advisories
Global feeds plus regional sources (CNNVD, JVN, ENISA, BDU) preserved as individual signed snapshots so policy can trust or ignore each one independently.
Preloaded runtime
Scanner, Zastava, and supporting images for x86‑64 and arm64 ready to mirror into your registry.
Provenance & SBOM
Cosign signatures, DSSE attestations, and SPDX SBOMs that prove what you imported.
Delta updates
Compact daily patches keep the kit fresh without hauling gigabytes across the perimeter.
2 · Three simple steps
- Download the latest kit and signature on a connected mirror (or receive it via courier).
- Verify with the public Cosign key from /keys/; unsigned bundles never cross the boundary.
- Import using
stella offline-kit import(or the Console). Feeds swap in under three seconds.
Automation scripts, manifest audits, and troubleshooting live in the Offline Kit guide.
3 · Keep multiple sites in sync
- Schedule the download on a connected mirror (we publish ready-to-run cron snippets).
- Transfer via your approved channel: USB, courier, or a controlled rsync drop box.
- Import on each air‑gapped site according to your change window.
4 · Before you import
- Log the bundle ID and manifest hash for your compliance trail.
- Rotate the free quota token on your schedule; validation stays offline.
- Store a clean copy in a tamper-evident vault so you can reissue the kit quickly.