Run Stella Ops on Air‑Gapped Networks

What the kit enables

The Offline Update Kit includes an installable bundle and runbook so air-gapped deployments keep parity with connected environments.

• → Full vulnerability scanning with up-to-date advisories from 33+ sources
• → Reachability analysis and VEX-aware risk filtering without internet access
• → Policy-gated promotions with signed Decision Capsules for every release
• → Deterministic replay and audit verification — no network required

1 · What's inside

Three steps to update

1. 1

   Download and verify

   Fetch the latest kit and signature on a connected mirror. Verify with your Cosign public key before transfer.

2. 2

   Transfer to air-gapped site

   Use your approved channel: USB, courier, or controlled rsync drop box. Unsigned bundles never cross the boundary.

3. 3

   Import

   Run stella offline-kit import or use the Console UI. Feeds swap in under three seconds with zero downtime.

$ stella offline-kit import stella-ouk-2026-01-20.tar.gz --verify
Verifying bundle signature... OK
Importing vulnerability feeds... 33 sources updated
Importing container images... 12 images loaded
Importing provenance data... OK

Offline Kit imported successfully
Knowledge snapshot: 2026-01-20T00:00:00Z
Next update recommended: 2026-01-27

Automation scripts, manifest audits, and troubleshooting live in the <a href="/docs/offline_kit/" class="link">Offline Kit guide</a>.

Keep multiple sites in sync

1. 1

   Schedule downloads

   Configure cron on a connected mirror to fetch the latest kit on your preferred cadence.

2. 2

   Distribute via approved channel

   Transfer to each site via USB, courier, or controlled drop box per your security policy.

3. 3

   Import per change window

   Each air-gapped site imports independently according to its own maintenance schedule.

Before you import