# Air-gap runbooks (summary)

Core runbooks
- Import and verify: unpack bundle, validate manifest, verify DSSE signatures.
- AV scan: scan bundle contents before import if required by policy.
- Quarantine: isolate bundles with hash or signature mismatches.
- Sealed startup diagnostics: confirm egress block and time anchor validity.

Import and verify
- Validate bundle hash, manifest entries, and schema checks.
- Record import receipt with operator, time anchor, and manifest hash.
- Reject and log any mismatches or missing provenance.

Quarantine handling
- Preserve the original bundle and verification logs.
- Open an incident if mismatches indicate tampering.
- Re-import only after a new bundle is signed and verified.

Operational notes
- Keep previous mirror generation as rollback baseline.
- Use deterministic tools and fixed ordering for all checks.

Related references
- docs/airgap/runbooks/import-verify.md
- docs/airgap/runbooks/av-scan.md
- docs/airgap/runbooks/quarantine-investigation.md
- docs/airgap/sealed-startup-diagnostics.md