stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
ea970ead2a8cfcba0188f3a0ab4cbb8ab40e27ae
git.stella-ops.org/docs/airgap/sealed-startup-diagnostics.md
StellaOps Bot ea970ead2a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
sdk-generator-smoke / sdk-smoke (push) Has been cancelled
Details
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
api-governance / spectral-lint (push) Has been cancelled
Details
oas-ci / oas-validate (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
up
2025-11-27 07:46:56 +02:00

1.9 KiB
Raw Blame History

AirGap Sealed-Mode Startup Diagnostics (prep for AIRGAP-CTL-57-001/57-002)

Goal

Prevent services from running when sealed-mode requirements are unmet and emit auditable diagnostics + telemetry.

Pre-flight checks

  1. airgap_state indicates sealed=true.
  2. Egress allowlist configured (non-empty or explicitly []).
  3. Trust root bundle + TUF metadata present and unexpired.
  4. Time anchor available (see TimeAnchor schema) and staleness budget not exceeded.
  5. Pending root rotations either applied or flagged with approver IDs.

On failure

  • Abort host startup with structured error code: AIRGAP_STARTUP_MISSING_<ITEM> (implemented as sealed-startup-blocked:<reason> in controller host).
  • Emit structured log fields: airgap.startup.check, status=failure, reason, bundlePath, trustRootVersion, timeAnchorDigest.
  • Increment counter airgap_startup_blocked_total{reason} and gauge airgap_time_anchor_age_seconds if anchor missing/stale.

Telemetry hooks

  • Trace event airgap.startup.validation with attributes: sealed, allowlist.count, trust_roots.count, time_anchor.age_seconds, rotation.pending.
  • Timeline events (for 57-002): airgap.sealed and airgap.unsealed include startup validation results and pending rotations.

Integration points

  • Controller: run checks during IHostApplicationLifetime.ApplicationStarted before exposing endpoints.
  • Importer: reuse ImportValidator to ensure bundles + trust rotation are valid before proceeding.
  • Time component: provide anchor + staleness calculations to the controller checks.

Artefacts

  • This document (deterministic guardrails for startup diagnostics).
  • Code references: src/AirGap/StellaOps.AirGap.Importer/Validation/* for trust + bundle validation primitives; src/AirGap/StellaOps.AirGap.Time/* for anchors.

Owners

  • AirGap Controller Guild · Observability Guild.