# Airgap Contracts (DOCS-AIRGAP-58-003)

Contracts developers must follow for sealed/constrained deployments.

## EgressPolicy usage
- Services read `EgressPolicy` config and must fail fast on disallowed hosts.
- All HTTP clients must pass through allowlist resolver; no raw `HttpClient` with arbitrary URLs.

## Sealed-mode tests
- Add integration tests that set `sealed=true` and assert outbound calls are blocked/mocked.
- Validate mirror bundle imports succeed under deny-all network by using local fixtures.

## Linting
- Static check to ban `DateTime.Now`, `Guid.NewGuid`, and direct `HttpClient` when `sealed=true` flag is present.
- CI rule: fail if new external domains appear outside allowlist file.

## Logging
- Log `sealed` flag, `mirrorGeneration`, and bundle hash on relevant API calls.
- Avoid emitting secrets or trust roots in logs.

## Config determinism
- All configs should be overridable via env vars; default to sealed-compatible settings.
- Use stable ordering in generated manifests and responses.