Air-Gapped Operations

ABS Core is designed to operate at full capacity on servers with no internet connectivity. This guide covers installation, key management, and ongoing operations in air-gapped environments.

What Works Without Internet

Installation

Step 1: Prepare the Package

On an internet-connected machine:

# Download the ABS Core package and all dependencies
npm pack @abscore/mcp-gateway
# This produces: abscore-mcp-gateway-4.1.0.tgz

Transfer the .tgz file to the air-gapped server via approved media (USB, optical disc, or secure file transfer).

Step 2: Install on the Air-Gapped Server

# Install from the local package
npm install ./abscore-mcp-gateway-4.1.0.tgz

# Initialize the governance configuration
npx @abscore/mcp-gateway init

Step 3: Generate Keys Locally

# Keys are generated on-device, no network needed
npx @abscore/mcp-gateway keys generate

# Output:
# [KeyProvider:FS] Keys stored at ~/.abs/keys/ (fingerprint: a3b4c5...)

License Activation

Online activation (before air-gap)

If the server will have temporary internet access during setup:

npx @abscore/mcp-gateway activate LICENSE-KEY-XXXX

Offline activation

For servers that never connect to the internet:

1. Generate a machine fingerprint on the air-gapped server:

   npx @abscore/mcp-gateway fingerprint
   # Output: MACHINE-FP-a3b4c5d6e7f8

2. On an internet-connected machine, visit abscore.app/activate and submit the license key + machine fingerprint.

3. Receive an activation token. Transfer it to the air-gapped server.

4. Apply the token:

   npx @abscore/mcp-gateway activate --offline-token TOKEN-XXXX

The offline license is valid for 365 days without any heartbeat.

RFC 3161 Without Internet

In air-gapped mode, RFC 3161 timestamps are unavailable. Each SAR will contain:

{
  "rfc3161_token": "",
  "rfc3161_authority": "",
  "temporal_drift_ms": 0
}

Mitigation: Use the server's NTP-synchronized hardware clock as the timestamp source. For legal admissibility, document the NTP configuration and clock calibration procedure.

For classified environments, consider a local TSA appliance (e.g., Guardtime, Ascertia) connected to the isolated network.

Updates

Updates in air-gapped environments follow a manual transfer process:

1. Download the update package on an internet-connected machine
2. Verify the dual signature (development key + production key)
3. Transfer via approved media
4. Apply on the air-gapped server:

   npx @abscore/mcp-gateway update --from-file abs-core-4.2.0.tgz

The engine_fingerprint in subsequent SARs will reflect the new version.

Backup and Recovery

Local Backup

# Export ledger to JSONL with integrity verification
npx @abscore/mcp-gateway backup --output /secure/backup/ledger-2026-04-11.jsonl

# Verify backup integrity
npx @abscore/mcp-gateway verify --file /secure/backup/ledger-2026-04-11.jsonl

Disaster Recovery

1. Install ABS Core on the replacement server (from local package)
2. Copy the key files from backup: ~/.abs/keys/
3. Import the ledger backup:

   npx @abscore/mcp-gateway restore --from /secure/backup/ledger-2026-04-11.jsonl

4. Verify chain integrity:

   npx @abscore/mcp-gateway verify
   # Chain integrity: VALID (4,231 blocks verified)

Compliance Verification

The standalone SAR Verifier (tools/sar-verifier.html) runs entirely in the browser with no external dependencies:

1. Open sar-verifier.html in any browser on the air-gapped network
2. Paste a SovereignAuditRecord JSON
3. The verifier checks:
   • Hash chain integrity
   • Ed25519 signature presence
   • RFC 3161 token presence (flagged if missing)
   • All required fields present

No data leaves the browser. No network requests are made.

Related

• KeyProvider API -- Key management options
• MCP Security Gateway -- Gateway configuration
• Sovereign Checklist -- Installation verification