k8s-deny-egress.yaml — NetworkPolicy template that denies all egress for pods labeled sealed=true, except optional in-cluster DNS when enabled.
compose-egress-guard.sh — Idempotent iptables guard for Docker/compose using the DOCKER-USER chain to drop all outbound traffic from a compose project network while allowing loopback and RFC1918 intra-cluster ranges.
verify-egress-block.sh — Verification harness that runs curl probes from Docker or Kubernetes and reports JSON results; exits non-zero if any target is reachable.
bundle_stage_import.py — Deterministic bundle staging helper: validates sha256 manifest, copies bundles to staging dir as <sha256>-<basename>, emits staging-report.json for evidence.
stage-bundle.sh — Thin wrapper around bundle_stage_import.py with positional args.
build_bootstrap_pack.py — Builds a Bootstrap Pack from images/charts/extras listed in a JSON config, writing bootstrap-manifest.json + checksums.sha256 deterministically.
build_bootstrap_pack.sh — Wrapper for the bootstrap pack builder.
build_mirror_bundle.py — Generates mirror bundle manifest + checksums with dual-control approvals; optional cosign signing. Outputs mirror-bundle-manifest.json, checksums.sha256, and optional signature/cert.
compose-syslog-smtp.yaml — Local SMTP (MailHog) + syslog-ng stack for sealed environments.
health_syslog_smtp.sh — Brings up the syslog/SMTP stack via docker compose and performs health checks (MailHog API + syslog logger).

See also ops/devops/sealed-mode-ci/ for the full sealed-mode compose harness and egress_probe.py, which this verification script wraps.