Air-gapped BYOC install
Install Veto with no runtime egress.
./airgap-load.sh registry.local:5000 latest && helm install veto-operator ./chart/veto-operator-0.1.0.tgz --namespace veto-operator-system --create-namespace -f patched-values.yamlAir-gapped mode sets AIRGAP_ENABLED=true, disables heartbeat, disables anonymous telemetry, and validates an offline license JWT from a mounted customer secret/file.
The release bundle contains customer-plane image tarballs, the Helm chart tarball and signature, detached attestations, SBOMs, OpenVEX, and airgap-load.sh. The loader retags and pushes images to your local registry and emits Helm values with offline flags enforced.
Verify the OCI attestations before mirroring images:
IMAGE=ghcr.io/plawio/veto-server:v0.1.0
IDENTITY='^https://github.com/PlawIO/veto-platform/.github/workflows/release-images.yaml@refs/(tags/v.*|heads/main)$'
ISSUER=https://token.actions.githubusercontent.com
cosign verify-attestation --type cyclonedx --certificate-identity-regexp "$IDENTITY" --certificate-oidc-issuer "$ISSUER" "$IMAGE"
cosign verify-attestation --type spdxjson --certificate-identity-regexp "$IDENTITY" --certificate-oidc-issuer "$ISSUER" "$IMAGE"
cosign verify-attestation --type slsaprovenance --certificate-identity-regexp "$IDENTITY" --certificate-oidc-issuer "$ISSUER" "$IMAGE"
cosign verify-attestation --type openvex --certificate-identity-regexp "$IDENTITY" --certificate-oidc-issuer "$ISSUER" "$IMAGE"The identity policy intentionally accepts tag releases (refs/tags/v*) and manual release dry-runs from refs/heads/main.
No runtime connection to Plaw is required. No Convex, Postgres, or Plaw-hosted service is required when STORAGE_DRIVER=sqlite.