All outbound network traffic is physically blocked at the appliance. No DNS, no model API calls, no telemetry. Every inference, classification, and document is generated on-device using models pre-baked into the appliance image before it shipped. Use air-gap mode when procurement workflows touch ITAR-controlled components, EAR-listed materials, or data that can’t legally be processed outside a controlled boundary.Documentation Index
Fetch the complete documentation index at: https://docs.leedab.com/llms.txt
Use this file to discover all available pages before exploring further.
Capabilities
| Capability | Standard | Air-gap |
|---|---|---|
| All 5 ABs | ✓ | ✓ |
| On-device inference | ✓ | ✓ |
| Frontier model API access | Optional | Not available |
| SIEM log export | ✓ | ✓ (internal network only) |
| SAML SSO | ✓ | ✓ (internal IdP only) |
| Internet egress | Optional | Blocked |
How air-gap works
- Pre-baked image — models and tooling embedded before the hardware ships
- Physical egress block — disabled at hardware level, not just a firewall rule
- Signed image updates — unsigned images are rejected
- On-device inference only — model choice is finalized before the appliance ships
Setup
Air-gap mode is configured before the appliance ships — not a toggle you flip after installation.- Tell your solutions engineer you need air-gap mode during the scoping call.
- The engineer configures the appliance image with egress-disabled hardware settings.
- Day 0 — the appliance arrives with air-gap mode already active.
- Days 1–3 — ABs are enrolled over your internal network. No external connectivity needed.
Updates
Updates arrive as signed appliance images applied via the LeedAB update CLI. The signature is verified before writing. Each update is recorded in the WORM audit trail.See also
Security overview
Encryption, audit logging, and role-based access.
Access control
SAML SSO, SCIM provisioning, and approval workflows.