stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7bafcc3eef9ae15d9441641a2ba3ef7ca4e67907
git.stella-ops.org/docs/features/checked/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

3.1 KiB
Raw Blame History

Air-Gap Epistemic Mode with Sealed Startup and Feed Snapshots

Module

AirGap

Status

VERIFIED

Description

Full epistemic completeness for air-gapped environments: sealed startup validation, feed snapshot repositories, signed mirror connectors, cryptographic binding of knowledge state to scan results, snapshot management, and sealed install enforcement.

Implementation Details

  • Sealed startup: src/AirGap/StellaOps.AirGap.Controller/Services/AirGapStartupDiagnosticsHostedService.cs -- validates sealed state at startup
  • Startup options: src/AirGap/StellaOps.AirGap.Controller/Options/AirGapStartupOptions.cs -- sealed startup configuration
  • State management: src/AirGap/StellaOps.AirGap.Controller/Domain/AirGapState.cs, Services/AirGapStateService.cs
  • State stores: src/AirGap/StellaOps.AirGap.Controller/Stores/IAirGapStateStore.cs, InMemoryAirGapStateStore.cs
  • Feed snapshots: src/AirGap/__Libraries/StellaOps.AirGap.Bundle/ -- snapshot management in bundle library
  • Offline verification: src/AirGap/StellaOps.AirGap.Importer/Policy/OfflineVerificationPolicy.cs, OfflineVerificationPolicyLoader.cs
  • Source: Feature matrix scan

E2E Test Plan

  • Verify sealed startup validation prevents operation with incomplete knowledge state
  • Test feed snapshot loading and cryptographic binding
  • Verify state transitions in air-gap controller
  • Test offline verification policy enforcement

Verification

  • Verified on 2026-02-11 with run-001.
  • Tier 0 source/declaration checks passed for sealed-startup diagnostics, controller state store/service, snapshot bundle writer, and offline verification policy loader surfaces.
  • Tier 1 build/tests passed across controller/importer/bundle projects (27/27 controller, 154/154 importer with new policy-loader tests, 150/150 bundle).
  • Tier 2 behavioral API checks passed for /system/airgap/status, /system/airgap/seal, and /system/airgap/verify with both positive and negative paths; status confirmed sealed=true after successful seal.
  • Additional Tier 2 integration evidence covers offline policy parsing/canonicalization via OfflineVerificationPolicyLoaderTests.
  • Revalidated on 2026-02-11 with run-002 to capture fresh Tier 0/1/2 evidence in this execution lane.
  • Evidence:
    • docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-001/tier0-source-check.json
    • docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-001/tier1-build-check.json
    • docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-001/tier2-api-check.json
    • docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-002/tier0-source-check.json
    • docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-002/tier1-build-check.json
    • docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-002/tier2-integration-check.json