# AirGap Import & Verify (runbook outline)

Related advisory: `docs/product-advisories/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md` (AG1–AG12). Implements AIRGAP-VERIFY-510-014.

## Prerequisites
- `offline-kit/manifest.json` + `manifest.dsse` and `mirror.manifest` present.
- Trust roots: Rekor/TUF roots, Authority signing roots, AV/YARA public keys.
- Tools: `cosign` (or Stella verifier), `sha256sum`, `yara`, `python3`.

## Steps
1) Verify manifest signature
   - `cosign verify-blob --key trust-roots/manifest.pub --signature manifest.dsse manifest.json`
   - Sample helper: `scripts/airgap/verify-offline-kit.sh <kit-root>`
2) Check staleness and policy/graph hashes
   - Compare `feeds[*].snapshot` dates to allowed window; ensure `policyHash`/`graphHash` match target site config; fail closed on mismatch unless override signed.
3) Verify chunks and Merkle root
   - For each chunk listed in manifest, `sha256sum -c`; recompute Merkle root per manifest recipe; compare to `rootHash` field.
4) AV/YARA validation
   - Run `yara -r rules/offline-kit.yar kit/`; confirm `avReport.sha256` matches signed report in manifest; block on any detection.
5) Replay depth selection
   - Modes: `hash-only` (default), `full-recompute`, `policy-freeze`. Select via `--replay-mode`; enforce exit codes 0=pass, 3=stale, 4=hash-drift, 5=av-fail.
6) Ingress/egress receipts
   - Generate DSSE receipt `{hash, operator, time, decision}`; store in Proof Graph; verify incoming receipts before import.

## Outputs
- Exit code per replay mode outcome.
- Receipt DSSE stored at `receipts/{tenant}/{timestamp}.dsse`.
- Optional report `verify-report.json` summarizing checks.

> Expand with concrete scripts once tasks 510-010..014 land.