# Airgap Operations (DOCS-AIRGAP-57-004)

Runbooks for imports, failure recovery, and auditing in sealed/constrained modes.

## Imports
1) Verify bundle hash/DSSE (see `mirror-bundles.md`).
2) `stella airgap import --bundle ... --generation N --dry-run` (optional).
3) Apply network policy: ensure sealed/constrained mode set correctly.
4) Import with `stella airgap import ...` and watch logs.
5) Confirm timeline event emitted (bundleId, mirrorGeneration, actor).

## Failure recovery
- Hash/signature mismatch: reject bundle; re-request export; log incident.
- Partial import: rerun with `--force` after cleaning registry/cache; keep previous generation for rollback.
- Staleness breach: if imports unavailable, raise amber alert; if >72h, go red and halt new ingest until refreshed.
- Time anchor expired: apply new anchor from trusted media before continuing operations.

## Auditing
- Record every import in audit log: `{tenant, mirrorGeneration, manifestHash, actor, sealed}`.
- Preserve manifests and hashes for at least two generations.
- Periodically (daily) run `stella airgap list --format json` and archive output.
- Ensure logs are immutable (append-only) in sealed environments.

## Observability
- Monitor counters for denied egress, import success/failure, and staleness alerts.
- Expose `/obs/airgap/status` (if available) to scrape bundle freshness.

## Checklist (per import)
- [ ] Hash/DSSE verified
- [ ] Sealed/constrained mode configured
- [ ] Registry/cache reachable
- [ ] Import succeeded
- [ ] Timeline/audit recorded
- [ ] Staleness dashboard updated