stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

docs consolidation and others

Browse Source
This commit is contained in:
master
2026-01-06 19:02:21 +02:00
parent d7bdca6d97
commit 4789027317
849 changed files with 16551 additions and 66770 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
docs/modules/airgap/guides/degradation-matrix.md Normal file
View File

@@ -0,0 +1,19 @@
# Airgap Degradation Matrix (DOCS-AIRGAP-58-001)
What works and what degrades across modes (sealed → constrained → connected).
| Capability | Connected | Constrained | Sealed | Notes |
| --- | --- | --- | --- | --- |
| Mirror imports | ✓ | ✓ | ✓ | Sealed requires preloaded media + offline validation. |
| Time anchors (external NTP) | ✓ | ✓ (allowlisted) | ✗ | Sealed relies on signed time anchors. |
| Transparency log lookups | ✓ | ✓ (if allowlisted) | ✗ | Sealed skips; rely on bundled checkpoints. |
| Rekor witness | ✓ | optional | ✗ | Disabled in sealed; log locally. |
| SBOM feed refresh | ✓ | limited mirrors | offline only | Use mirror bundles. |
| CLI plugin downloads | ✓ | allowlisted | ✗ | Must ship in bootstrap pack. |
| Telemetry export | ✓ | optional | optional/log-only | Sealed may use console exporter only. |
| Webhook callbacks | ✓ | allowlisted internal only | ✗ | Use internal queue instead. |
| OTA updates | ✓ | partial | ✗ | Use mirrorGeneration refresh. |
## Remediation guidance
- If a capability is degraded in sealed mode, provide offline substitute (mirror bundles, time anchors, console exporter).
- When moving to constrained/connected, re-enable trust roots and transparency checks gradually; verify hashes first.