Skip to content
Catalog

Catalog Consumption

Catalog Snapshot

Section titled “Catalog Snapshot”

The catalog exposes a curated collection of hardened application bundles. Each package ships with:

  • Signed archives compatible with air-gapped transport.
  • CVE metadata generated during nightly scans.

Legacy docs open in a new tab. Bookmark the Astro version for future updates.

  • Component provenance via SBOM exports.

The Astro /catalog route renders this data for at-a-glance awareness. During early development the grid is populated with representative mock data; a real API integration will land in Phase 2 when the GitHub source of truth is wired in.

Verifying Packages

Section titled “Verifying Packages”

  1. Download the desired tarball from the catalog or synchronize the git repository offline.

  2. Verify the detached signature:

    Terminal window
    cosign verify-blob --key cosign.pub --signature <package>.sig <package>.tar.zst

  3. Inspect the SBOM (CycloneDX) and scan report before promoting to production.

Deploying a Bundle

Section titled “Deploying a Bundle”

Once validated, deploy from the CLI:

Terminal window
d0s deploy ./packages/keycloak

The CLI automatically detects whether it is connected or running in a fully disconnected environment and adjusts the workflow accordingly.

Next Steps

Section titled “Next Steps”
  • Phase 2 will introduce live data hydration using GitHub APIs and ETag-aware caching.
  • Watch /catalog for charting and advanced filtering once connected to production telemetry.