Skip to content
Hussh
Connect MCP

Air-Gapped Offline Mode — local-first consent-driven architecture

The public design concept for Hussh's offline-first, air-gapped development and testing model, enabling complete local-loop execution with SQLite, zero external services, and biometric fallback simulations.

Concept

TL;DR: Air-Gapped Offline Mode is Hussh's design concept for local-first, zero-connectivity development and validation where all platform components (DB, auth, AI, email) run entirely locally under full security parity.

Status as of 2026-06-16: see body.

Relations

  • PCHP — the core consent protocol that offline mode fully supports and persists.
  • Hermes Agent — the public agent framework supported by the offline-first runtime.

The Local-First Premise

In an agentic, zero-knowledge ecosystem where the user truly owns their data, local-first execution is not an optimization—it is a core trust guarantee. To make the Switzerland thesis credible, the development and runtime environment must be capable of running in a fully air-gapped offline posture. This ensures:

  1. Development Autonomy: Engineers and agents can develop, test, and validate core consent protocol interactions without any dependencies on remote cloud resources (Postgres, Firebase, or external AI models).
  2. Zero-Knowledge Isolation: Local sandboxes are physically isolated from external telemetry, proving that personal-knowledge-model (PKM) blobs and vault encryption keys remain entirely under local owner control.
  3. Continuous Verification: Under heavy CI/CD pipelines and automated agent-driven development, the local-first execution loop runs instantly without network lag or API rate limiting.

The Two-Layer Offline Architecture

The architecture maps existing cloud-backed production components to zero-dependency local equivalents.

1. Database Parity Layer

Production uses PostgreSQL for structured data and metadata. Offline mode maps this seamlessly to SQLite (WAL mode) with an identical schema. Rather than executing Postgres-specific dialects, the database client compiles portable queries compatible with both engines. All core tables (including consent_audit, consent_exports, pkm_blobs, and vault_keys) are auto-initialized on first boot.

2. Service Mocking Layer

External SaaS boundaries are replaced with local, zero-state adapters:

  • Authentication: Mock tokens bypass external OAuth and identity providers, providing deterministic, local review sessions.
  • Intelligence (AI/LLM): Model endpoints degrade gracefully to local model engines (such as LM Studio or Ollama running over loopback) or mock responses, eliminating external api costs during integration runs.
  • Integrations: Email connectors (e.g., Gmail) and financial holding streams (e.g., Plaid) are stubbed with reproducible signal payloads.

Seamless Handoff Boundary

Offline mode maintains strict functional parity with the production gateway. When connectivity is restored, local data caches, consent records, and encrypted PKM updates can sync to the global platform topology without schema conversion or signature mismatches. This clean division of labor ensures that local-first simplicity never degrades production security.

Sources

  • (none — synthesis only)