# CLI Airgap Guide (DOCS-AIRGAP-57-003)

Offline/air-gapped usage patterns for the Stella CLI.

## Offline kit commands
- Import an offline kit (local verification + activation)
  ```bash
  stella offline import \
    --bundle ./bundle-2025-12-14.tar.zst \
    --verify-dsse \
    --verify-rekor \
    --trust-root /evidence/keys/roots/stella-root.pub
  ```
- Check current offline kit status
  ```bash
  stella offline status --output table
  ```

## Prerequisites
- CLI installed from offline bundle; `local-nugets/` and cached plugins available.
- Mirror/Bootstrap bundles staged locally; no external network required.
- Set `STELLA_OFFLINE=true` to prevent outbound fetches.

## Common commands
- Validate mirror bundle
  ```bash
  stella airgap verify-bundle /mnt/media/mirror.tar \
    --manifest /mnt/media/manifest.json \
    --trust-root /opt/stella/trust/mirror-root.pem
  ```
- Import bundle into local registry
  ```bash
  stella airgap import --bundle /mnt/media/mirror.tar --generation 12
  ```
- Check sealed mode status
  ```bash
  stella airgap status
  ```
- List bundles and staleness
  ```bash
  stella airgap list --format table
  ```

## Determinism & offline rules
- Commands must succeed without egress; any outbound attempt is a bug—report with logs.
- Hashes and signatures are verified locally using bundled trust roots; no OCSP/CRL.
- Outputs are stable JSON/NDJSON; timestamps use UTC.

## Exit codes
- `0` success
- `2` validation failed (hash/signature mismatch)
- `3` sealed-mode violation (unexpected egress attempted)
- `4` input/argument error
- `>4` unexpected error (inspect logs)

## Logs
- Default stderr structured JSON: includes `tenant`, `bundleId`, `mirrorGeneration`, `sealed` flag.
- For audits, use `--log-file /var/log/stella/airgap.log --log-format json`.

## Tips
- Keep bundles on read-only media to avoid hash drift.
- Use `--dry-run` to validate without writing to registries.
- Pair with `docs/airgap/overview.md` and `docs/airgap/sealing-and-egress.md` for policy context.