This plugin's air-gap claim is enforced by what code ships, not by config. The five layers below enforce that no outbound Box API call leaks into a released plugin zip, and that the supply chain stays auditable.

If you're integrating this plugin for a regulated workflow (HIPAA, FedRAMP, ITAR), this document is your starting point for the trust posture.

.git-hooks/pre-commit greps every staged SKILL.md, *.json, and *.md file for forbidden patterns:

• mcp__ (any Box MCP tool reference)
• https://api.box.com
• http:// (any plaintext URL — likely a mistake)
• https://*.box.com/api
• raw.githubusercontent.com (we dropped runtime GitHub fetches for true zero-network)

Blocks the commit on match. Devs install via:

git config --local core.hooksPath .git-hooks

Local overrides (--no-verify) don't propagate — CI re-runs the same check on push.

.github/workflows/ci.yml runs on every PR and push to main:

• scripts/ci-check-airgap.sh against the built plugin zip (same pattern scan, applied to extracted contents)
• scripts/ci-check-schema-sync.sh confirms synced/ matches the pin in .schema-pin
• claude plugin validate . against the manifest + every SKILL.md

CI failure blocks the merge. The check is a mandatory status — cannot be bypassed via repo settings.

Every release zip's SHA256 is published in the release notes. Users can verify before install:

shasum -a 256 /path/to/downloaded/box-memory-onprem-plugin.zip
# compare to the value published on the release page

GPG signing of release artifacts is planned for v0.0.5. Until then, SHA256 + commit history are the verification surface.

Each GitHub release page includes:

• A diff summary against the previous release
• The full output of scripts/ci-check-airgap.sh against the released zip
• The .schema-pin value at the time of release
• SHA256 of every artifact

This makes "did this release introduce a network call?" answerable without running anything — just read the release notes.

A designated reviewer (template at references/designated-security-reviewer-template.md) audits the plugin quarterly. The review checks for patterns that automated scans can't catch:

• Cleverly-obfuscated network references (string concatenation, base64, etc.)
• Indirect calls via dependencies or transitive imports
• SKILL.md content that would direct an LLM to make network calls implicitly

Each review is signed and posted as a release asset (e.g., v0.0.1-security-review.txt with the reviewer's GPG signature).

The role is intentionally separated from the maintainer — the same person should not author plugin code AND sign off on its security posture.

• Preferred: open a private security advisory on this repository.
• Email: matt@mrdula.solutions

Please include:

• Plugin version (check .claude-plugin/plugin.json)
• Reproduction (or theoretical attack path if not yet weaponized)
• Whether the issue affects v0.0.1 specifically or applies to the design

We respond to acknowledged reports within 5 business days.

To be precise about the scope of the air-gap claim:

• The plugin does not encrypt your local disk. Use FileVault (macOS) / BitLocker (Windows).
• The plugin does not validate Box Drive's trustworthiness. Box Drive is a third-party binary; you trust Box as a vendor.
• The plugin does not control your LLM provider's compliance posture. See references/supported-llm-configs.md.
• The plugin does not enforce retention or legal hold. Those are cloud-side Box features; configure them via Box admin.
• The plugin does not prevent other agent tools from making network calls. The air-gap claim is scoped to this plugin's skills only.

See references/airgap-trust-model.md for the comprehensive boundary map.