up
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
This commit is contained in:
StellaOps Bot
32
docs/airgap/overview.md
Normal file
32
docs/airgap/overview.md
Normal file
@@ -0,0 +1,32 @@
|
||||
# Airgap Overview
|
||||
|
||||
This page orients teams before diving into per-component runbooks. It summarises modes, lifecycle, and governance responsibilities for sealed deployments.
|
||||
|
||||
## Modes
|
||||
- **Sealed**: deny-all egress; only preloaded bundles (mirror + bootstrap) allowed. Requires exported time anchors and offline trust roots.
|
||||
- **Constrained**: limited egress to allowlisted registries and NTP; mirror bundles still preferred.
|
||||
- **Connected**: full egress for staging; must remain policy-compatible with sealed mode.
|
||||
|
||||
## Lifecycle
|
||||
1. **Prepare bundles**: export mirror + bootstrap packs (images/charts, SBOMs, DSSE metadata) signed and hashed.
|
||||
2. **Stage & verify**: load bundles into the offline store, verify hashes/DSSE, record mirrorGeneration.
|
||||
3. **Activate**: flip sealed toggle; enforce deny-all egress and policy banners; register bundles with Excititor/Export Center.
|
||||
4. **Operate**: run periodic staleness checks, apply time anchors, and audit imports via timeline events.
|
||||
5. **Refresh/rollback**: import next mirrorGeneration or roll back using previous manifest + hashes.
|
||||
|
||||
## Responsibilities
|
||||
- **AirGap Controller Guild**: owns network posture (deny-all, allowlists), sealed-mode policy banners, and change control.
|
||||
- **Export Center / Evidence Locker Guilds**: produce and verify bundle manifests, DSSE envelopes, and Merkle roots.
|
||||
- **Module owners** (Excititor, Concelier, etc.): honor sealed-mode toggles, emit staleness headers, and refuse unsigned/unknown bundles.
|
||||
- **Ops/Signals Guild**: maintain time anchors and observability sinks compatible with sealed deployments.
|
||||
|
||||
## Rule banner (sealed mode)
|
||||
Display a top-of-console banner when `sealed=true`:
|
||||
- "Sealed mode: no external egress. Only registered bundles permitted. Imports logged; violations trigger audit."
|
||||
- Include current `mirrorGeneration`, bundle manifest hash, and time-anchor status.
|
||||
|
||||
## Related docs
|
||||
- `docs/airgap/airgap-mode.md` — deeper policy shapes per mode.
|
||||
- `docs/airgap/bundle-repositories.md` — mirror/bootstrap bundle structure.
|
||||
- `docs/airgap/staleness-and-time.md` — time anchors and staleness checks.
|
||||
- `docs/airgap/controller-scaffold.md` / `importer-scaffold.md` — implementation scaffolds.
|
||||
Reference in New Issue
Block a user