# Air-gap runbooks (summary)

Core runbooks
- Import and verify: unpack bundle, validate manifest, verify DSSE signatures.
- AV scan: scan bundle contents before import if required by policy.
- Quarantine: isolate bundles with hash or signature mismatches.
- Sealed startup diagnostics: confirm egress block and time anchor validity.

Offline kit management
- Generate full or delta kits in connected environments.
- Verify kit hash and signature before transfer.
- Import and install kit, then confirm component freshness.

Feed updates
- Use delta kits for smaller updates.
- Roll back to previous snapshot when feeds introduce regressions.
- Track feed age and kit expiry thresholds.

Scanning in air-gap mode
- Scan local images or SBOMs without registry pull.
- Generate SBOMs locally and scan from file.
- Force offline feeds when required by policy.

Verification in air-gap mode
- Verify proof bundles offline with local trust roots.
- Export and import trust bundles for signer and CA rotation.
- Run score replay with frozen timestamps if needed.

Health checks
- Monitor kit age, feed freshness, trust store validity, disk usage.
- Use deterministic health checks and keep results for audit.

Import and verify
- Validate bundle hash, manifest entries, and schema checks.
- Record import receipt with operator, time anchor, and manifest hash.
- Reject and log any mismatches or missing provenance.

Quarantine handling
- Preserve the original bundle and verification logs.
- Open an incident if mismatches indicate tampering.
- Re-import only after a new bundle is signed and verified.

Operational notes
- Keep previous mirror generation as rollback baseline.
- Use deterministic tools and fixed ordering for all checks.

Related references
- docs/airgap/runbooks/import-verify.md
- docs/airgap/runbooks/av-scan.md
- docs/airgap/runbooks/quarantine-investigation.md
- docs/airgap/sealed-startup-diagnostics.md