stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
e2e404e705578c36a9d19a806405bd3051bc52ce
git.stella-ops.org/docs/airgap/overview.md
StellaOps Bot 150b3730ef
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
api-governance / spectral-lint (push) Has been cancelled
Details
up
2025-11-24 07:52:25 +02:00

2.2 KiB
Raw Blame History

Airgap Overview

This page orients teams before diving into per-component runbooks. It summarises modes, lifecycle, and governance responsibilities for sealed deployments.

Modes

  • Sealed: deny-all egress; only preloaded bundles (mirror + bootstrap) allowed. Requires exported time anchors and offline trust roots.
  • Constrained: limited egress to allowlisted registries and NTP; mirror bundles still preferred.
  • Connected: full egress for staging; must remain policy-compatible with sealed mode.

Lifecycle

  1. Prepare bundles: export mirror + bootstrap packs (images/charts, SBOMs, DSSE metadata) signed and hashed.
  2. Stage & verify: load bundles into the offline store, verify hashes/DSSE, record mirrorGeneration.
  3. Activate: flip sealed toggle; enforce deny-all egress and policy banners; register bundles with Excititor/Export Center.
  4. Operate: run periodic staleness checks, apply time anchors, and audit imports via timeline events.
  5. Refresh/rollback: import next mirrorGeneration or roll back using previous manifest + hashes.

Responsibilities

  • AirGap Controller Guild: owns network posture (deny-all, allowlists), sealed-mode policy banners, and change control.
  • Export Center / Evidence Locker Guilds: produce and verify bundle manifests, DSSE envelopes, and Merkle roots.
  • Module owners (Excititor, Concelier, etc.): honor sealed-mode toggles, emit staleness headers, and refuse unsigned/unknown bundles.
  • Ops/Signals Guild: maintain time anchors and observability sinks compatible with sealed deployments.

Rule banner (sealed mode)

Display a top-of-console banner when sealed=true:

  • "Sealed mode: no external egress. Only registered bundles permitted. Imports logged; violations trigger audit."
  • Include current mirrorGeneration, bundle manifest hash, and time-anchor status.

Related docs

  • docs/airgap/airgap-mode.md — deeper policy shapes per mode.
  • docs/airgap/bundle-repositories.md — mirror/bootstrap bundle structure.
  • docs/airgap/staleness-and-time.md — time anchors and staleness checks.
  • docs/airgap/controller-scaffold.md / importer-scaffold.md — implementation scaffolds.