AirGap Policy Task Board — Epic 16: Air-Gapped Mode

Sprint 56 – Facade & Contracts

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
AIRGAP-POL-56-001	TODO	AirGap Policy Guild	TELEMETRY-OBS-50-001	Implement `StellaOps.AirGap.Policy` package exposing `EgressPolicy` facade with sealed/unsealed branches and remediation-friendly errors.	Facade package builds/tests; integration tests simulate sealed/unsealed; error contract documented.
AIRGAP-POL-56-002	TODO	AirGap Policy Guild, DevEx Guild	AIRGAP-POL-56-001	Create Roslyn analyzer/code fix warning on raw `HttpClient` usage outside approved wrappers; add CI integration.	Analyzer packaged; CI fails on intentional violation; docs updated for opt-in.

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
AIRGAP-POL-57-001	TODO	AirGap Policy Guild, BE-Base Platform Guild	AIRGAP-POL-56-001	Update core web services (Web, Exporter, Policy, Findings, Authority) to use `EgressPolicy`; ensure configuration wiring for sealed mode.	Services compile with facade; sealed-mode tests run in CI; configuration docs updated.
AIRGAP-POL-57-002	TODO	AirGap Policy Guild, Task Runner Guild	AIRGAP-POL-56-001, TASKRUN-OBS-50-001	Implement Task Runner job plan validator rejecting network steps unless marked internal allow-list.	Validator blocks forbidden steps; tests cover allow/deny; error surfaces remediation text.

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
AIRGAP-POL-58-001	TODO	AirGap Policy Guild, Observability Guild	AIRGAP-POL-57-001	Ensure Observability exporters only target local endpoints in sealed mode; disable remote sinks with warning.	Exporters respect sealed flag; timeline/log message emitted; docs updated.
AIRGAP-POL-58-002	TODO	AirGap Policy Guild, CLI Guild	AIRGAP-POL-56-001, CLI-OBS-50-001	Add CLI sealed-mode guard that refuses commands needing egress and surfaces remediation.	CLI returns `AIRGAP_EGRESS_BLOCKED`; tests cover sealed/unsealed flows; help text updated.