stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
c32fff8f86a4ecd5f88ad3c80f73871f7fd628e1
git.stella-ops.org/docs/modules/airgap
History

README.md

AirGap

Status: Implemented Source: src/AirGap/ Owner: Platform Team

Note: This is the module dossier with architecture and implementation details. For operational guides and workflows, see docs/modules/airgap/guides/.

Purpose

AirGap manages sealed knowledge snapshot export and import for offline/air-gapped deployments. Provides time-anchored snapshots with staleness policies, deterministic bundle creation, and secure import validation for complete offline operation.

Components

Services:

  • StellaOps.AirGap.Controller - Snapshot orchestration and staleness enforcement
  • StellaOps.AirGap.Importer - Import validation and bundle ingestion

Libraries:

  • StellaOps.AirGap.Policy - Staleness policy evaluation
  • StellaOps.AirGap.Time - Time anchor validation and trust
  • StellaOps.AirGap.Storage.Postgres - PostgreSQL storage for snapshots
  • StellaOps.AirGap.Storage.Postgres.Tests - Storage integration tests

Configuration

See etc/airgap.yaml.sample for configuration options.

Key settings:

  • Staleness policy (maxAgeHours, warnAgeHours, staleAction)
  • Time anchor requirements (requireTimeAnchor)
  • Per-content staleness budgets (advisories, VEX, packages, mitigations)
  • PostgreSQL connection (schema: airgap)
  • Export/import paths and validation rules

Bundle manifest (v2) additions

  • canonicalManifestHash: sha256 of canonical JSON for deterministic verification.
  • subject: sha256 (+ optional sha512) digest of the bundle target.
  • timestamps: RFC3161/eIDAS timestamp entries with TSA chain/OCSP/CRL refs.
  • rekorProofs: entry body/inclusion proof paths plus signed entry timestamp for offline verification.

Dependencies

  • PostgreSQL (schema: airgap)
  • Authority (authentication)
  • ExportCenter (bundle creation)
  • Mirror (snapshot sources)
  • All data modules (Concelier, VexHub, SbomService, etc.)

Related Documentation

  • Operations: ./operations/ (if exists)
  • Offline Kit: ../../OFFLINE_KIT.md
  • Mirror: ../mirror/
  • ExportCenter: ../export-center/

Current Status

Implemented with Controller for snapshot export and Importer for secure ingestion. Staleness policies enforce time-bound validity. Integrated with ExportCenter for bundle packaging and all data modules for content export/import.