# Airgap Degradation Matrix (DOCS-AIRGAP-58-001)

What works and what degrades across modes (sealed → constrained → connected).

| Capability | Connected | Constrained | Sealed | Notes |
| --- | --- | --- | --- | --- |
| Mirror imports | ✓ | ✓ | ✓ | Sealed requires preloaded media + offline validation. |
| Time anchors (external NTP) | ✓ | ✓ (allowlisted) | ✗ | Sealed relies on signed time anchors. |
| Transparency log lookups | ✓ | ✓ (if allowlisted) | ✗ | Sealed skips; rely on bundled checkpoints. |
| Rekor witness | ✓ | optional | ✗ | Disabled in sealed; log locally. |
| SBOM feed refresh | ✓ | limited mirrors | offline only | Use mirror bundles. |
| CLI plugin downloads | ✓ | allowlisted | ✗ | Must ship in bootstrap pack. |
| Telemetry export | ✓ | optional | optional/log-only | Sealed may use console exporter only. |
| Webhook callbacks | ✓ | allowlisted internal only | ✗ | Use internal queue instead. |
| OTA updates | ✓ | partial | ✗ | Use mirrorGeneration refresh. |

## Remediation guidance
- If a capability is degraded in sealed mode, provide offline substitute (mirror bundles, time anchors, console exporter).
- When moving to constrained/connected, re-enable trust roots and transparency checks gradually; verify hashes first.