# Console Air-Gap UX (Sealed Mode)

This document describes the Console surfaces and operator expectations when running against Offline Kit snapshots or in sealed/air-gapped deployments.

## Goals

- Make offline operation explicit (never “pretend online”).
- Show snapshot identity and staleness budgets so operators can reason about freshness.
- Keep import workflows auditable and tenant-scoped.

## Required Surfaces

### Offline / Sealed Status Badge

The Console should surface:

- Whether the site is operating in **sealed/offline mode**.
- The current **snapshot identity** (bundle ID / generation / content digest).
- The **last import time** and configured freshness/staleness budgets.

### Import Workflow

When imports are supported via Console:

- Use a clear stepper flow: select bundle → verify → apply → confirm.
- Display verification results (signature status, digest) without exposing secrets.
- Emit an auditable event: who imported what, when, and which snapshot became active.

### Staleness Dashboard

Operators need a quick view of:

- Advisory/VEX/policy ages relative to configured budgets
- Tenants/environments nearing expiry thresholds
- “Why stale?” explanations (missing time anchor, expired bundle, etc.)

## Staleness Rules

- Treat staleness as **a first-class signal**: show it prominently when it affects decision confidence.
- Use UTC timestamps; avoid local time ambiguity.
- When a time anchor is missing, surface “unknown staleness” instead of silently defaulting.

## Security and Guardrails

- Import is an admin operation (scoped and audited).
- Always display tenant context for imports and status surfaces.
- Avoid displaying long hashes without context; prefer short digests with a “copy full digest” action.

## References

- Offline Kit packaging and verification: `docs/24_OFFLINE_KIT.md`
- Air-gap workflows: `docs/airgap/`