ZARF — air-gap deploy

Build, sign, and inspect

# build the killinchu ZARF package (from uds-bundles/PER_BUNDLE/killinchu)
zarf package create . --confirm

# inspect the published Warhacker bundle definition
zarf package inspect definition bundle.tar.zst
#   -> governance components: a11oy / amaru / sentra / killinchu / rosie

Air-gap deploy demo (disconnected node)

# 0) carry bundle.tar.zst + cosign.pub + bundle.tar.zst.rekor.bundle across the gap
# 1) integrity
sha256sum -c bundle.tar.zst.sha256                 # -> OK
# 2) authenticity (offline, no tlog egress)
cosign verify-blob --key cosign.pub --insecure-ignore-tlog=true \
  --signature bundle.tar.zst.sig bundle.tar.zst    # -> Verified OK
# 3) initialize Zarf on the disconnected cluster
zarf init --confirm
# 4) deploy the killinchu package
zarf package deploy bundle.tar.zst --confirm
# 5) confirm the deployment is Available (chart waits up to 180s)
kubectl -n killinchu rollout status deploy/killinchu-bundle

The package's zarf.yaml declares the killinchu namespace (Istio injection + UDS Core labels), the helm chart killinchu@0.3.1, and the image ghcr.io/szl-holdings/killinchu:uds-v0.3.1, with an onDeploy wait for readiness.

Live air-gap verify endpoint

The Space exposes a signed-inventory air-gap check (never fail-open): POST /api/killinchu/uds/v1/airgap/verify-deploy, and a Big Bang parity map at /api/killinchu/uds/v1/big-bang/parity (HTTP 200).