up

docs/airgap/degradation-matrix.md

@@ -0,0 +1,19 @@
+# Airgap Degradation Matrix (DOCS-AIRGAP-58-001)
+
+What works and what degrades across modes (sealed → constrained → connected).
+
+| Capability | Connected | Constrained | Sealed | Notes |
+| --- | --- | --- | --- | --- |
+| Mirror imports | ✓ | ✓ | ✓ | Sealed requires preloaded media + offline validation. |
+| Time anchors (external NTP) | ✓ | ✓ (allowlisted) | ✗ | Sealed relies on signed time anchors. |
+| Transparency log lookups | ✓ | ✓ (if allowlisted) | ✗ | Sealed skips; rely on bundled checkpoints. |
+| Rekor witness | ✓ | optional | ✗ | Disabled in sealed; log locally. |
+| SBOM feed refresh | ✓ | limited mirrors | offline only | Use mirror bundles. |
+| CLI plugin downloads | ✓ | allowlisted | ✗ | Must ship in bootstrap pack. |
+| Telemetry export | ✓ | optional | optional/log-only | Sealed may use console exporter only. |
+| Webhook callbacks | ✓ | allowlisted internal only | ✗ | Use internal queue instead. |
+| OTA updates | ✓ | partial | ✗ | Use mirrorGeneration refresh. |
+
+## Remediation guidance
+- If a capability is degraded in sealed mode, provide offline substitute (mirror bundles, time anchors, console exporter).
+- When moving to constrained/connected, re-enable trust roots and transparency checks gradually; verify hashes first.