# Network Intent Validator (Air-Gap Orchestrator Controls)

## Module
Orchestrator

## Status
IMPLEMENTED

## Description
NetworkIntentValidator enforces air-gap network policies on orchestrator jobs, preventing egress in sealed mode. Includes MirrorJobTypes and MirrorOperationRecorder for offline mirror operations.

## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/AirGap/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/`
- **Key Classes**:
  - `NetworkIntentValidator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/AirGap/NetworkIntentValidator.cs`) - validates job network intent against air-gap policy, blocking egress requests in sealed mode
  - `StalenessValidator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/AirGap/StalenessValidator.cs`) - validates data freshness in air-gapped environments, ensuring cached data is within acceptable staleness bounds
  - `NetworkIntent` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/NetworkIntent.cs`) - declares the network intent of a job (egress, ingress, local-only)
  - `SealingStatus` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/SealingStatus.cs`) - enum for air-gap sealing state (Sealed, Unsealed, Transitioning)
  - `StalenessConfig` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/StalenessConfig.cs`) - configuration for acceptable data staleness in air-gap mode
  - `StalenessValidationResult` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/StalenessValidationResult.cs`) - result of staleness validation
  - `BundleProvenance` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/BundleProvenance.cs`) - provenance tracking for air-gap bundles
  - `MirrorBundle` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/MirrorBundle.cs`) - bundle model for offline mirror operations
  - `MirrorJobTypes` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/MirrorJobTypes.cs`) - types of mirror jobs (sync, verify, prune)
  - `MirrorOperationRecorder` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/MirrorOperationRecorder.cs`) - records mirror operations for audit trail
- **Interfaces**: None (uses concrete implementations)
- **Source**: Feature matrix scan

## E2E Test Plan
- [ ] Set `SealingStatus` to Sealed and submit a job with egress intent; verify `NetworkIntentValidator` rejects it
- [ ] Set `SealingStatus` to Unsealed and submit a job with egress intent; verify it is allowed
- [ ] Validate staleness: set `StalenessConfig` max staleness to 24 hours and verify data older than 24 hours is rejected by `StalenessValidator`
- [ ] Create a mirror job with type=sync and verify `MirrorOperationRecorder` records the operation
- [ ] Verify bundle provenance: create a `MirrorBundle` and verify `BundleProvenance` captures origin, sync timestamp, and hash
- [ ] Transition sealing status from Unsealed to Sealed and verify in-flight egress jobs are blocked
- [ ] Submit a local-only `NetworkIntent` job in sealed mode and verify it is allowed
- [ ] Verify staleness config: set different staleness thresholds per data type in `StalenessConfig` and verify per-type enforcement