Offline Update Kit (OUK) — 100 % Air‑Gap Operation
Status: ships together with the public α
v0.1.0(ETA late 2025).
All commands below assume the bundle namestella-ouk‑2025‑α.tar.gz– adjust once the real date tag is known.
1 · What’s in the bundle 📦
| Item | Purpose |
|---|---|
| Vulnerability database | Pre‑merged snapshot of NVD 2.0, OSV, GHSA + optional regional catalogue feeds |
| Container images | Scanner + Zastava for x86‑64 & arm64 |
| Cosign signatures | Release attestation & SBOM integrity |
| SPDX SBOM | Cryptographically signed bill of materials |
| Authority plug-ins & manifests | plugins/authority/** now contains the Standard + LDAP plug-in binaries, hashes, and sample manifests (etc/authority.plugins/*.yaml) so air-gapped operators can drop them into /plugins/authority without rebuilding. |
| Import manifest | Check‑sums & version metadata |
Nightly delta patches keep the bundle < 350 MB while staying T‑1 day current.
2 · Download & verify 🔒
curl -LO https://get.stella-ops.org/releases/latest/stella-ops-offline-usage-kit-v0.1a.tar.gz
curl -LO https://get.stella-ops.org/releases/latest/stella-ops-offline-usage-kit-v0.1a.tar.gz.sig
cosign verify-blob \
--key https://stella-ops.org/keys/cosign.pub \
--signature stella-ops-offline-usage-kit-v0.1a.tar.gz.sig \
stella-ops-offline-usage-kit-v0.1a.tar.gz
The output shows Verified OK and the SHA‑256 digest ‑ compare with the release notes.
3 · Import on the isolated host 🚀
docker compose --env-file .env -f compose-stella.yml \
exec stella-ops stella ouk import stella-ops-offline-usage-kit-v0.1a.tar.gz
- The scanner verifies the Cosign signature before activation.
- DB switch is atomic – no downtime for running jobs.
- Import time on an SSD VM ≈ 5‑7 s.
4 · How the quota works offline 🔢
| Mode | Daily scans | Behaviour at 200 scans | Behaviour over limit |
|---|---|---|---|
| Anonymous | 33 | Reminder banner | CLI slows ~10 % |
| Token (JWT) | 333 | Reminder banner | Throttle continues, never blocks |
Request a free JWT: send a blank e‑mail to token@stella-ops.org – the bot replies with a signed token that you store as STELLA_JWT in .env.
5 · Updating the bundle ⤴️
- Download the newer tarball & signature.
- Repeat the verify‑blob step.
- Run
stella ouk import <file>– only the delta applies; average upgrade time is < 3 s.
6 · Road‑map highlights for Sovereign 🌐
| Release | Planned feature |
|---|---|
| v0.1 α (late 2025) | Manual OUK import • Zastava beta |
| v0.3 β (Q2 2026) | Auto‑apply delta patch • nightly re‑scan |
| v0.4 RC (Q3 2026) | LDAP/AD SSO • registry scanner GA |
| v1.0 GA (Q4 2026) | Custom TLS/crypto adaptors (incl. SM2)—enabled where law or security requires it |
Full details live in the public Road‑map.
7 · Troubleshooting 🩹
| Symptom | Fix |
|---|---|
cosign: signature mismatch | File corrupted ‑ re‑download both tarball & .sig |
ouk import: no space left | Ensure 8 GiB free in /var/lib/docker |
| Import succeeds but scans still hit Internet | Confirm STELLA_AIRGAP=true in .env (v0.1‑α setting) |
8 · FAQ — abbreviated ❓
Does the JWT token work offline?
Yes. Signature validation happens locally; no outbound call is made.
Can I mirror the bundle internally?
Absolutely. Host the tarball on an intranet HTTP/S server or an object store; signatures remain valid.
Is there a torrent alternative?
Planned for the β releases – follow the community chat for ETA.
Licence & provenance 📜
The Offline Update Kit is part of Stella Ops and therefore AGPL‑3.0‑or‑later. All components inherit the same licence.
cosign verify-blob \
--key https://stella-ops.org/keys/cosign.pub \
--signature stella-ops-offline-usage-kit-v0.1a.tar.gz.sig \
stella-ops-offline-usage-kit-v0.1a.tar.gz
— Happy air‑gap scanning! © 2025‑2026 Stella Ops