docs consolidation and others

docs/modules/airgap/guides/operations.md

@@ -0,0 +1,34 @@
+# Airgap Operations (DOCS-AIRGAP-57-004)
+
+Runbooks for imports, failure recovery, and auditing in sealed/constrained modes.
+
+## Imports
+1) Verify bundle hash/DSSE (see `mirror-bundles.md`).
+2) `stella airgap import --bundle ... --generation N --dry-run` (optional).
+3) Apply network policy: ensure sealed/constrained mode set correctly.
+4) Import with `stella airgap import ...` and watch logs.
+5) Confirm timeline event emitted (bundleId, mirrorGeneration, actor).
+
+## Failure recovery
+- Hash/signature mismatch: reject bundle; re-request export; log incident.
+- Partial import: rerun with `--force` after cleaning registry/cache; keep previous generation for rollback.
+- Staleness breach: if imports unavailable, raise amber alert; if >72h, go red and halt new ingest until refreshed.
+- Time anchor expired: apply new anchor from trusted media before continuing operations.
+
+## Auditing
+- Record every import in audit log: `{tenant, mirrorGeneration, manifestHash, actor, sealed}`.
+- Preserve manifests and hashes for at least two generations.
+- Periodically (daily) run `stella airgap list --format json` and archive output.
+- Ensure logs are immutable (append-only) in sealed environments.
+
+## Observability
+- Monitor counters for denied egress, import success/failure, and staleness alerts.
+- Expose `/obs/airgap/status` (if available) to scrape bundle freshness.
+
+## Checklist (per import)
+- [ ] Hash/DSSE verified
+- [ ] Sealed/constrained mode configured
+- [ ] Registry/cache reachable
+- [ ] Import succeeded
+- [ ] Timeline/audit recorded
+- [ ] Staleness dashboard updated