save checkpoint

docs/features/checked/tests/air-gap-test-enforcement.md

@@ -0,0 +1,28 @@
+# Air-Gap (No-Egress) Test Enforcement
+
+## Module
+__Tests
+
+## Status
+VERIFIED
+
+## Description
+Network-isolated test base classes and docker container builders that enforce no-egress in CI, with dedicated offline E2E tests.
+
+## Implementation Details
+- **Network Isolated Test Base**: `src/__Tests/__Libraries/StellaOps.Testing.AirGap/NetworkIsolatedTestBase.cs` -- xUnit test base class that runs tests in a network-isolated environment, verifying no outbound network calls are made during test execution.
+- **Isolated Container Builder**: `src/__Tests/__Libraries/StellaOps.Testing.AirGap/Docker/IsolatedContainerBuilder.cs` -- builds Docker containers with network isolation (no-egress) for air-gap integration tests using Testcontainers.
+- **Offline E2E Tests**: `src/__Tests/offline/` -- dedicated offline end-to-end test suite that runs the full platform stack without network access.
+
+## E2E Test Plan
+- [ ] Run a test inheriting from `NetworkIsolatedTestBase` and verify it completes without making any outbound network requests
+- [ ] Build an isolated container via `IsolatedContainerBuilder` and verify it has no network connectivity (e.g., DNS resolution fails, HTTP requests time out)
+- [ ] Run the offline E2E test suite and verify all tests pass without network access
+- [ ] Verify detection: add a test that makes an outbound HTTP call while using `NetworkIsolatedTestBase` and confirm the test fails with a network isolation violation
+- [ ] Verify the isolated container runs the full platform stack (web service, database) in air-gap mode
+
+## Verification
+- Verified on 2026-02-13 via `run-001`.
+- Tier 0: Source files confirmed present on disk.
+- Tier 1: `dotnet build` passed (0 errors); 266/266 tests passed across Chaos.Tests, Evidence.Tests, Replay.Tests, FixtureTests.
+- Tier 2d: `docs/qa/feature-checks/runs/tests/air-gap-test-enforcement/run-001/tier2-integration-check.json`