Restructure solution layout by module

src/AirGap/StellaOps.AirGap.Controller/AGENTS.md

@@ -0,0 +1,16 @@
+# StellaOps AirGap Controller Guild Charter
+
+## Mission
+Own the sealing state machine, status APIs, and enforcement hooks that keep StellaOps compliant in sealed air-gapped environments while respecting the imposed rule.
+
+## Scope
+- Persisted air-gap state (`sealed`, policy hash, time anchor metadata) and RBAC enforcement.
+- HTTP endpoints for seal/unseal/status and integration with Authority scopes.
+- Startup diagnostics that refuse to run when sealing requirements are unmet.
+- Coordination with DevOps for Kubernetes/Compose egress policies.
+- Telemetry and audit events reflecting sealing actions and violations.
+
+## Definition of Done
+- Deterministic tests for seal/unseal transitions and audit logging.
+- Integration tests covering RBAC, sealed-mode refusal, and policy hash validation.
+- Documentation hooks updated in `/docs/airgap/` for each shipped feature.

src/AirGap/StellaOps.AirGap.Controller/TASKS.md

@@ -0,0 +1,18 @@
+# AirGap Controller Task Board — Epic 16: Air-Gapped Mode
+
+## Sprint 56 – Sealing Foundations
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| AIRGAP-CTL-56-001 | TODO | AirGap Controller Guild | AUTH-OBS-50-001 | Implement `airgap_state` persistence, seal/unseal state machine, and Authority scope checks (`airgap:seal`, `airgap:status:read`). | State table created with migrations; seal/unseal transitions audited; unit tests cover happy/error paths. |
+| AIRGAP-CTL-56-002 | TODO | AirGap Controller Guild, DevOps Guild | AIRGAP-CTL-56-001, DEVOPS-AIRGAP-56-001 | Expose `GET /system/airgap/status`, `POST /system/airgap/seal`, integrate policy hash validation, and return staleness/time anchor placeholders. | APIs documented with OpenAPI; RBAC enforced; integration tests cover unauthorized/sealed states. |
+
+## Sprint 57 – Enforcement & Diagnostics
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| AIRGAP-CTL-57-001 | TODO | AirGap Controller Guild | AIRGAP-CTL-56-002 | Add startup diagnostics that block application run when sealed flag set but egress policies missing; emit audit + telemetry. | Startup guard tested with simulated failure; telemetry includes `airgap_sealed=true`; docs updated. |
+| AIRGAP-CTL-57-002 | TODO | AirGap Controller Guild, Observability Guild | AIRGAP-CTL-56-002, TELEMETRY-OBS-50-001 | Instrument seal/unseal events with trace/log fields and timeline emission (`airgap.sealed`, `airgap.unsealed`). | Timeline events validated; logs include actor/tenant/policy hash; integration test covers duplication suppression. |
+
+## Sprint 58 – Time Anchor & Drift
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| AIRGAP-CTL-58-001 | TODO | AirGap Controller Guild, AirGap Time Guild | AIRGAP-CTL-56-002, AIRGAP-TIME-57-001 | Persist time anchor metadata, compute drift seconds, and surface staleness budgets in status API. | Time anchor stored with bundle ID; drift calculation validated in tests; status API returns staleness metrics. |

src/AirGap/StellaOps.AirGap.Importer/AGENTS.md

@@ -0,0 +1,16 @@
+# StellaOps AirGap Importer Guild Charter
+
+## Mission
+Deliver offline bundle verification and ingestion tooling for sealed environments, covering DSSE/TUF validation, catalog updates, and audit logging under the imposed rule.
+
+## Scope
+- TUF metadata verification, DSSE signature checks, Merkle root validation.
+- Import pipelines writing bundle catalogs, object-store layouts, and audit entries.
+- CLI + API surfaces for dry-run verification, import, and status queries.
+- Integration hooks for Conseiller, Excitator, Policy Engine, and Export Center.
+- Negative-case handling (tampering, expired signatures, root rotation) with operator guidance.
+
+## Definition of Done
+- Deterministic fixtures for valid/invalid bundles committed.
+- Integration tests prove catalog + object-store updates are idempotent.
+- Import audit trail viewable via API and timeline events.

src/AirGap/StellaOps.AirGap.Importer/TASKS.md

@@ -0,0 +1,19 @@
+# AirGap Importer Task Board — Epic 16: Air-Gapped Mode
+
+## Sprint 56 – Verification Primitives
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| AIRGAP-IMP-56-001 | TODO | AirGap Importer Guild | PROV-OBS-53-001 | Implement DSSE verification helpers, TUF metadata parser (`root.json`, `snapshot.json`, `timestamp.json`), and Merkle root calculator. | Verifier returns structured results; unit tests cover valid/invalid signatures and tampering scenarios. |
+| AIRGAP-IMP-56-002 | TODO | AirGap Importer Guild, Security Guild | AIRGAP-IMP-56-001 | Introduce root rotation policy validation (dual approval) and signer trust store management. | Rotation policy enforced; tests cover valid rotation and rollback; docs stub updated. |
+
+## Sprint 57 – Catalog & Storage Writes
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| AIRGAP-IMP-57-001 | TODO | AirGap Importer Guild | AIRGAP-IMP-56-001, DEVOPS-AIRGAP-56-002 | Write `bundle_catalog` and `bundle_items` repositories with RLS + deterministic migrations. | Catalog tables created; integration tests ensure tenant/global scoping; determinism check passes. |
+| AIRGAP-IMP-57-002 | TODO | AirGap Importer Guild, DevOps Guild | AIRGAP-IMP-57-001 | Implement object-store loader storing artifacts under tenant/global mirror paths with Zstandard decompression and checksum validation. | Import writes deduplicated objects; checksum mismatches raise errors; storage layout documented. |
+
+## Sprint 58 – Import Workflows
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| AIRGAP-IMP-58-001 | TODO | AirGap Importer Guild, CLI Guild | AIRGAP-IMP-57-002, CLI-AIRGAP-56-001 | Implement API (`POST /airgap/import`, `/airgap/verify`) and CLI commands wiring verification + catalog updates, including diff preview. | CLI/API share validation engine; diff preview surfaces metadata changes; audit entries recorded with trace IDs. |
+| AIRGAP-IMP-58-002 | TODO | AirGap Importer Guild, Observability Guild | AIRGAP-IMP-58-001, TELEMETRY-OBS-50-001 | Emit timeline events (`airgap.import.started|completed|failed`) and telemetry metrics (bundle bytes, duration, warnings). | Events/metrics validated in integration tests; docs cross-link to observability dashboards. |

src/AirGap/StellaOps.AirGap.Policy/AGENTS.md

@@ -0,0 +1,16 @@
+# StellaOps AirGap Policy Guild Charter
+
+## Mission
+Provide the shared enforcement layer (`EgressPolicy`, job plan validators, sealed-mode gates) that keeps all services compliant with Air-Gapped Mode requirements.
+
+## Scope
+- `EgressPolicy` facade replacing raw HTTP client usage.
+- Static analysis/linting to detect unauthorized network calls.
+- Task Runner and orchestrator validators flagging disallowed destinations.
+- Shared error contract (`AIRGAP_EGRESS_BLOCKED`) and remediation messages.
+- Test harnesses simulating sealed/unsealed execution paths.
+
+## Definition of Done
+- Every service imports the facade; CI fails on direct HTTP client usage.
+- Sealed-mode unit tests cover panic/remediation behavior across host types.
+- Documentation updated in `/docs/dev/airgap-contracts.md` for adoption patterns.

src/AirGap/StellaOps.AirGap.Policy/TASKS.md

@@ -0,0 +1,19 @@
+# AirGap Policy Task Board — Epic 16: Air-Gapped Mode
+
+## Sprint 56 – Facade & Contracts
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| AIRGAP-POL-56-001 | TODO | AirGap Policy Guild | TELEMETRY-OBS-50-001 | Implement `StellaOps.AirGap.Policy` package exposing `EgressPolicy` facade with sealed/unsealed branches and remediation-friendly errors. | Facade package builds/tests; integration tests simulate sealed/unsealed; error contract documented. |
+| AIRGAP-POL-56-002 | TODO | AirGap Policy Guild, DevEx Guild | AIRGAP-POL-56-001 | Create Roslyn analyzer/code fix warning on raw `HttpClient` usage outside approved wrappers; add CI integration. | Analyzer packaged; CI fails on intentional violation; docs updated for opt-in. |
+
+## Sprint 57 – Service Adoption Wave 1
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| AIRGAP-POL-57-001 | TODO | AirGap Policy Guild, BE-Base Platform Guild | AIRGAP-POL-56-001 | Update core web services (Web, Exporter, Policy, Findings, Authority) to use `EgressPolicy`; ensure configuration wiring for sealed mode. | Services compile with facade; sealed-mode tests run in CI; configuration docs updated. |
+| AIRGAP-POL-57-002 | TODO | AirGap Policy Guild, Task Runner Guild | AIRGAP-POL-56-001, TASKRUN-OBS-50-001 | Implement Task Runner job plan validator rejecting network steps unless marked internal allow-list. | Validator blocks forbidden steps; tests cover allow/deny; error surfaces remediation text. |
+
+## Sprint 58 – Service Adoption Wave 2
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| AIRGAP-POL-58-001 | TODO | AirGap Policy Guild, Observability Guild | AIRGAP-POL-57-001 | Ensure Observability exporters only target local endpoints in sealed mode; disable remote sinks with warning. | Exporters respect sealed flag; timeline/log message emitted; docs updated. |
+| AIRGAP-POL-58-002 | TODO | AirGap Policy Guild, CLI Guild | AIRGAP-POL-56-001, CLI-OBS-50-001 | Add CLI sealed-mode guard that refuses commands needing egress and surfaces remediation. | CLI returns `AIRGAP_EGRESS_BLOCKED`; tests cover sealed/unsealed flows; help text updated. |

src/AirGap/StellaOps.AirGap.Time/AGENTS.md

@@ -0,0 +1,15 @@
+# StellaOps AirGap Time Guild Charter
+
+## Mission
+Manage trusted time anchors and staleness budgets for sealed environments, ensuring deterministic behavior when external time sources are unavailable.
+
+## Scope
+- Parse signed time tokens from Mirror Bundles and validate signatures.
+- Persist `time_anchor` metadata and compute drift/staleness metrics.
+- Provide helpers for UI/API staleness badges and job gating.
+- Integrate with Notifications to alert on approaching drift thresholds.
+
+## Definition of Done
+- Test vectors for time tokens committed alongside verification code.
+- Drift calculations deterministic and configurable per tenant.
+- Documentation updates for `/docs/airgap/staleness-and-time.md` with examples.

src/AirGap/StellaOps.AirGap.Time/TASKS.md

@@ -0,0 +1,13 @@
+# AirGap Time Task Board — Epic 16: Air-Gapped Mode
+
+## Sprint 57 – Time Anchor Validation
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| AIRGAP-TIME-57-001 | TODO | AirGap Time Guild | PROV-OBS-54-001, AIRGAP-IMP-56-001 | Implement signed time token parser (Roughtime/RFC3161), verify signatures against bundle trust roots, and expose normalized anchor representation. | Parser handles both token formats; tests cover valid/expired/tampered tokens; documentation stubbed. |
+| AIRGAP-TIME-57-002 | TODO | AirGap Time Guild, Observability Guild | AIRGAP-TIME-57-001 | Add telemetry counters for time anchors (`airgap_time_anchor_age_seconds`) and alerts for approaching thresholds. | Metrics registered; alert templates created; integration test ensures emission on stale anchor. |
+
+## Sprint 58 – Drift & Staleness Enforcement
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| AIRGAP-TIME-58-001 | TODO | AirGap Time Guild | AIRGAP-TIME-57-001, AIRGAP-CTL-56-002 | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. | Drift/staleness values exposed via API; unit tests cover threshold calculations; docs updated. |
+| AIRGAP-TIME-58-002 | TODO | AirGap Time Guild, Notifications Guild | AIRGAP-TIME-58-001, NOTIFY-OBS-51-001 | Emit notifications and timeline events when staleness budgets breached or approaching. | Notifications dispatched with remediation; timeline events recorded; CLI shows warning banner. |