vaultsovereign/vm-ops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
chore/ops-docs-drift-2025-12-27
vm-ops/50-runbooks/10-provision/anchor-doctrine-to-ledger.md
vaultsovereign 59cf23e152 ops: add doctrine anchor script and runbook
2025-12-27 00:21:38 +00:00

79 lines
2.1 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Runbook: Anchor Doctrine to Civilization Ledger
## Purpose
Produce tamper-evident, witness-backed receipts for doctrine files so audits can verify: **git state ↔ signed entry ↔ inclusion proof ↔ witness attestation**.
## Preconditions
- Access/role required: operator key + (optional) witness key.
- Systems required:
- `ops/` working tree
- Civilization Ledger CLI (`ledger`)
- Expected safe state:
- No plaintext secrets in `ops/` or `civilization-ledger/`
- Doctrine files have been reviewed and are ready to anchor
- Time estimate: 25 minutes
## Steps
1. Build the `ledger` CLI if needed:
```bash
cd ../civilization-ledger
cargo build -p ledger-cli
```
2. Choose a ledger directory (persistent, not inside Git), e.g.:
```bash
export LEDGER_DIR="$HOME/.local/share/civ-ledger/ops-law"
```
3. Ensure keys exist (store outside Git):
```bash
mkdir -p ~/.config/civ-ledger/keys
ledger keygen --out ~/.config/civ-ledger/keys/operator.json
ledger keygen --out ~/.config/civ-ledger/keys/witness.json
```
4. Anchor doctrine and emit receipts into `ops/70-audits/reports/ledger/`:
```bash
cd ops
./80-automation/scripts/anchor-doctrine-to-ledger.sh \
--ledger-dir "$LEDGER_DIR" \
--operator-key ~/.config/civ-ledger/keys/operator.json \
--witness-key ~/.config/civ-ledger/keys/witness.json
```
5. (Optional) Commit the receipts as audit evidence:
```bash
git add 70-audits/reports/ledger
git commit -m "audit: anchor doctrine receipts"
```
## Validation
- Receipts exist under `70-audits/reports/ledger/`.
- Each receipt passes verification:
```bash
ledger verify-receipt --receipt 70-audits/reports/ledger/<receipt>.json --require-attestation
```
## Rollback / Abort
- Ledger writes are append-only. If you anchored something you didnt intend:
- correct the doctrine in Git,
- anchor again (new entry),
- record the supersession in audit notes.
## Evidence
- Receipt files: `70-audits/reports/ledger/*.receipt.json`
- (Optional) `ledger verify-attestations --dir "$LEDGER_DIR" --format json` output
Reference in New Issue View Git Blame Copy Permalink