DEFONEOS · DEPLOYMENT PATTERNS · UK SOVEREIGN ENCLAVE
How DEFONEOS runs as a fully air-gapped, UK-resident sovereign enclave. 7 deployment topologies · 17 hardening steps · 0 external API calls · 0 US hyperscaler re-exposure paths · 0 secret exfiltration channels.
DEFONEOS supports a fully air-gapped deployment in which:
Update ingest is mediated by a sovereign update ferry — a one-way data bridge that requires operator action to cross. No automatic pulls.
| # | Topology | Connectivity | Update channel | Buyer use case |
|---|---|---|---|---|
| T1 | Full air-gap | Zero outbound | Sovereign ferry on operator demand | MOD SECRET-class deployments |
| T2 | Differentially severed | Operational plane sealed; update plane outbound only via pinned proxy | Quarterly sovereign ferry | MOD OFFICIAL-SENSITIVE |
| T3 | Soft-severed (managed enclave) | Operational plane outbound-whitelisted to your tenancy only | Weekly signed bundles | Government departments |
| T4 | Single MacBook (DEFONEOS-class) | Standalone laptop with Secure Enclave | On-demand on operator demand | Solo operator / SC-cleared executive |
| T5 | Three-MacBook BFT enclave | Local P2P only; no upstream | Coordinated quarterly | Tier-2 unit / regional command |
| T6 | Hybrid on-prem + UK cloud | Operational plane on-prem; update plane UK cloud | Continuous (UK G-Cloud) | NHS / blue-light services |
| T7 | Read-only air-gapped | One-way data diode; writes offline-only | Re-image complete substrate | National-security reference deployments |
DEFONEOS's reference substrate is a MacBook tier — proven on M2/M3/M4 silicon, 16–64 GB RAM, Apple T2/Secure Enclave. For buyers who require non-Apple or rack-mounted hardware, the substrate layer abstracts the silicon: a
Every hardware envelope has a published BoM, an SBC power envelope, and a sovereignty attestation.
To run DEFONEOS with zero outbound calls, ingest is performed via a one-way sovereign ferry:
# 1. Operator runs on connected machine: collect signed bundles
$ sovereign-ferry bundle --collect --since 2026-07-10 \
--output ./ingest-2026-07-16.tar.ed25519.bundle
# 2. Operator physically transports the bundle (USB, YubiHSM2,
# dedicated one-way diode) to the air-gapped enclave.
# 3. Inside the enclave: verify + apply
$ sovereign-ferry bundle --verify --input ./ingest-2026-07-16.tar.ed25519.bundle
$ sovereign-ferry bundle --apply --input ./ingest-2026-07-16.tar.ed25519.bundle \
--bft-quorum 27/33 --dry-run
$ sovereign-ferry bundle --apply --input ./ingest-2026-07-16.tar.ed25519.bundle \
--bft-quorum 27/33 --apply --operator-cosign $COSIGN_KEY
The ferry tool is itself a static binary with no third-party dependencies and a published SHA-256 + Ed25519 + BFT review.
sovereign-tls-pinning-spec).sovereign-csp-bypass-prevention-spec).defoneos-live-evidence-freshness-probe checks daily against the live system; alert on any drift.After deployment, run these probes every 24 hours:
# F1 — Sovereign CA chain valid?
$ openssl verify -CAfile ./sovereign-ca.pem ./sovereign-leaf.pem
# F2 — DNS not leaking?
$ dig @localhost example.com # should SERVFAIL outside allowlist
# F3 — Outbound blocked?
$ curl --max-time 3 -sI https://www.example.com # should fail closed
# F4 — SBOM matches deployed binaries?
$ sovereign-audit scan --sbom sbom-latest.json --runtime /
# F5 — SIGIL chain integrity?
$ jq -s '.[].prev_hash == .[0].hash' tick-*.json | tail -1
# F6 — BFT quorum signature valid?
$ sovereign-bft verify --quorum 27/33 --bundle latest.signed
# F7 — Live evidence freshness? see defoneos-live-evidence-freshness-probe
# ... (10 more — see sovereign-live-evidence-freshness-probe )
Operational plane on UK G-Cloud; update plane on a sovereign ferry plus quarterly onboard update. Operators work in a single region; failover is local-only. See defoneos-mod-ukdi.
One-way data diode; re-image on every quarter boundary; BFT witnesses cosign every image before reuse. See sovereign-data-escrow-protocol.
Standalone MacBook with Secure Enclave; updates on demand; physical tokens only. See defoneos-sc-clearance for the guide an SC-cleared buyer would follow.
This guide is one of a series on operational topologies. For the cryptography and TLS specifics, see sovereign-tls-pinning-spec. For incident response in air-gapped contexts, see sovereign-incident-response-runbook. For cost modelling, see pilot-roi-model.
TLS pinning spec Incident response runbook Pilot ROI model Buyer due-diligence pack
tick-114-sigil.json. Expected byte-count 7821.