vaultsovereign/vm-ops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e1fd9886e812fd39132e98a309afd2a72d0e158a
vm-ops/50-runbooks/10-provision/anchor-doctrine-to-ledger.md
vaultsovereign 59cf23e152 ops: add doctrine anchor script and runbook
2025-12-27 00:21:38 +00:00

2.1 KiB
Raw Blame History

Runbook: Anchor Doctrine to Civilization Ledger

Purpose

Produce tamper-evident, witness-backed receipts for doctrine files so audits can verify: git state ↔ signed entry ↔ inclusion proof ↔ witness attestation.

Preconditions

  • Access/role required: operator key + (optional) witness key.
  • Systems required:
    • ops/ working tree
    • Civilization Ledger CLI (ledger)
  • Expected safe state:
    • No plaintext secrets in ops/ or civilization-ledger/
    • Doctrine files have been reviewed and are ready to anchor
  • Time estimate: 25 minutes

Steps

  1. Build the ledger CLI if needed:

    cd ../civilization-ledger
cargo build -p ledger-cli

  2. Choose a ledger directory (persistent, not inside Git), e.g.:

    export LEDGER_DIR="$HOME/.local/share/civ-ledger/ops-law"

  3. Ensure keys exist (store outside Git):

    mkdir -p ~/.config/civ-ledger/keys
ledger keygen --out ~/.config/civ-ledger/keys/operator.json
ledger keygen --out ~/.config/civ-ledger/keys/witness.json

  4. Anchor doctrine and emit receipts into ops/70-audits/reports/ledger/:

    cd ops
./80-automation/scripts/anchor-doctrine-to-ledger.sh \
  --ledger-dir "$LEDGER_DIR" \
  --operator-key ~/.config/civ-ledger/keys/operator.json \
  --witness-key ~/.config/civ-ledger/keys/witness.json

  5. (Optional) Commit the receipts as audit evidence:

    git add 70-audits/reports/ledger
git commit -m "audit: anchor doctrine receipts"

Validation

  • Receipts exist under 70-audits/reports/ledger/.

  • Each receipt passes verification:

    ledger verify-receipt --receipt 70-audits/reports/ledger/<receipt>.json --require-attestation

Rollback / Abort

  • Ledger writes are append-only. If you anchored something you didnt intend:
    • correct the doctrine in Git,
    • anchor again (new entry),
    • record the supersession in audit notes.

Evidence

  • Receipt files: 70-audits/reports/ledger/*.receipt.json
  • (Optional) ledger verify-attestations --dir "$LEDGER_DIR" --format json output
Reference in New Issue View Git Blame Copy Permalink