Air-gap mode: what it does, and what it does not

Air-gap mode disables every outbound network call from the running app. With it on, no DNS, no HTTPS, no keyserver lookups, no Drand fetches, no analytics. The only thing crossing the network boundary is the initial page load (which is cached by the service worker after the first visit).

What it covers

• Keyserver lookups in the Key Inspector — disabled.
• Drand beacon fetches in the Time-Lock tool — disabled.
• Google Analytics — never fires anyway, but explicitly blocked.
• Hidden third-party scripts injected by a browser extension — would fail to fetch their payloads.

What it does not cover

• A compromised browser. If your browser itself is malicious, it can ignore air-gap mode entirely.
• Browser extensions running outside the app sandbox. Extensions can read clipboard and DOM contents regardless of what the app does.
• The OS layer — keyloggers, screen capture, swap files holding plaintext.

The strong setup

For maximum assurance: install the app as a PWA on a fresh, fully patched laptop, disconnect the laptop from the network, then run the app. The PWA shell is already cached locally, so it works offline. Combined with a passphrase-protected private key on encrypted disk, this is roughly the threat model that PGP was designed for.