stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
01a2a2dc1615cfe2cc6e5b9b71686a1663c8c71a
git.stella-ops.org/docs/modules/policy/prep/2025-11-20-policy-airgap-57-001-prep.md
master d519782a8f
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
prep docs and service updates
2025-11-21 06:56:36 +00:00

1.2 KiB
Raw Blame History

Policy AirGap Sealed-Mode Prep — PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD

Status: Draft (2025-11-20) Owners: Policy Guild · AirGap Policy Guild Scope: Define sealed-mode policy behaviour and error envelopes after mirror import (56-002).

Inputs needed

  • Sealed-mode error envelope standard (WEB-OAS-61-002) for consistency with Concelier/Web.
  • Staleness metadata fields from 56-002 (bundle provenance / time anchor).

Proposed behavior

  • When sealed mode active and non-mirror source requested, return error POLICY_AIRGAP_EGRESS_BLOCKED with remediation list and staleness_seconds_remaining if available.
  • Determinism: sorted remediation items; canonical JSON ordering.
  • Telemetry: counter policy_airgap_egress_blocked_total{tenant,endpoint} and event policy.airgap.egress_blocked with {tenant_id, bundle_id?, policy_hash}.

Acceptance

  • Envelope finalized in line with WEB-OAS-61-002; fields confirmed with AirGap Policy Guild.
  • Sample response stored at docs/modules/policy/samples/policy-airgap-sealed@draft.json.

Handoff

Prep artefact for PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD. Update once error envelope and staleness fields are frozen; then mark task DONE and start implementation.