# Air-gap and offline kit

## Offline Kit contents (typical)
- Signed advisory and VEX feeds
- Container images for core services
- Analyzer plugins and manifests
- Debug symbol store for deterministic diagnostics
- Telemetry collector bundle
- Task packs and operator docs
- Signed manifests and checksums

## Verify and import
- Verify the kit tarball signature before import.
- Verify the manifest signature and checksum list.
- Import is atomic and retains the previous feed set until validation passes.

## Delta updates
- Daily deltas apply only changed artifacts.
- Full kits are used as reset baselines when needed.
- Deltas must reference a known baseline manifest digest.

## Sealed mode and time anchors
- Sealed mode forbids external egress by default.
- Time anchors and staleness budgets keep offline verification deterministic.
- Air-gap installs should pin trusted roots and time anchor bundles.

## AOC and raw-data verification
- Run AOC verify checks against advisory_raw and vex_raw collections.
- Reject any raw data that violates provenance or append-only rules.

## Offline verification
- DSSE envelopes and cached transparency proofs enable local verification.
- Reachability and replay bundles can be verified without network access.
- Keep analyzer manifests and policy hashes with the replay bundle.