← overview

Air-gap runtime — BUILD-TIME / RUNTIME boundary

Layer 2 · image built with Internet · runtime guaranteed 100% offline

Physical boundary between image build (Internet OK) and customer execution (100% offline) BUILD-TIME (build phase) Internet OK · CI or dev machine docker build (multi-stage) minimal Python base · multi-stage backend HTTP + WS · vector storage client single shippable image pip install runtime stack backend dependencies embedder libraries from public registries Embedder model multilingual embedder (proprietary model) semantic vectors baked into the image 100% self-contained source no legacy marketing HTML minimal base image (no AGPL dependency) no external service trace in the image Cellule-PRO proprietary code private namespace · business plugins reproducible signed install build-time isolation checks image-pool-cellule-pro:vX.Y Ed25519-signed image · self-contained all embedded · offline-deliverable → USB-transferable / private registry RUNTIME (running on customer site) 100% offline · air-gap guaranteed · firewall possible ENV VARS — air-gap enforced EMBEDDER_OFFLINE=1 TRANSFORMERS_OFFLINE=1 CLUSTER_MODE=enterprise EMBEDDER_PATH=<local> FEDERATION=active POOL_URL=http://<pool-lan>:<port> no external service · no public URL ✕ DENIED AT RUNTIME ✕ public model registries ✕ external dependency mirrors ✕ public package registries ✕ vendor public registry ✕ worker auto-update ✕ external pool discovery ✕ public route redirects ✕ marketing static HTML runtime isolation hardened internal audit validated ✓ ALLOWED AT RUNTIME ✓ LAN: paired peers, private WAN ✓ Local storage (LAN port) ✓ Local inference engine ✓ Intra-corporate SMTP ✓ Restrictive default CORS ✓ baked embedder (local file) ✓ Signed replication, private peers ✓ Worker pool_url is relative internal audit validated runtime isolation hardened POOL RUNNING — enterprise runtime ⚡ Active services • Backend HTTP + WebSocket • Modular business plugins • Periodic cluster balancer • Configurable failsafe 🔒 Runtime controls • Admin Bearer token • OWASP password hashing • Ed25519 sig peers + workers • GDPR audit append-only Docker container with minimum capabilities · no host privileges delivery ✕ outbound to public registry → DNS denied / offline flag blocks Customer firewall can block everything except LAN — works the same
Build-time (Internet OK)
Runtime (100% offline)
Denied at runtime
Allowed at runtime

What enters the image once

  • • Runtime Python stack from public registries
  • • Multilingual embedder (proprietary model baked in)
  • • HTTP backend + relational vector storage
  • • Cellule-PRO proprietary code (private)
  • • Everything baked into the deliverable image

What is denied at runtime

  • • No outbound calls to public registries
  • • No worker auto-update
  • • No external pool discovery
  • • No redirect to public services
  • • Restrictive default CORS

Audit validation

  • • Hardened isolation, internal audit complete
  • docker logs | grep external-host = empty
  • • Marketing statics removed from the image
  • • Public routes gated
  • • Customer firewall can block all WAN
Cellule-PRO · Air-gap runtime · overview · GDPR user portal