For some customers, "offline-first" isn't enough. They need "offline, provably, every time". EU government agencies with data-residency obligations. Classified military deployments. Contested-environment operations where every external network call is a signal an adversary could intercept. For those, Overwatch now ships with an explicit, persistent air-gapped mode.

The gap between "works offline" and "provably offline"

Overwatch has always been offline-first. The local decision engine runs on every advisor pass, the mission planner doesn't need internet to plan, the mission packager builds AirSDK archives locally, the MAVLink bridge connects drones directly to the operator's MacBook — nothing about the core product requires a network beyond the hotspot the drones connect to.

But "works offline" is not the same claim as "makes no external calls under any circumstances". A procurement reviewer asking "does this software ever contact a third-party service?" has to take "it depends on configuration" as an unsatisfying answer. So we made it unambiguous.

One toggle, one badge, one answer

In the Electron settings panel, there is now a section labelled Privacy — Air-Gapped Deployments with a single checkbox: "Disable external network calls". Tick it, save, restart. When the app launches, a persistent yellow 🔒 AIR-GAPPED badge shows in the top bar for the entire session. The operator sees it every time they look at the screen. Procurement reviewers can see it in screenshots. It doesn't go away unless the setting is explicitly disabled.

When air-gapped mode is active:

  • No IP-based geolocation. The "My Location" map button's fallback path that calls ipapi.co is skipped. If the operator clicks it and native geolocation (macOS Core Location) doesn't respond, a clear dialog explains: "External location lookup is disabled. Click on the map to place the base manually."
  • No cloud AI advisor calls. The Anthropic → OpenAI → Gemini failover chain is bypassed even if API keys are configured. Overwatch AI runs on the local physics engine only. The advisor source badge reads LOCAL on every decision.
  • No external weather fetches. The Open-Meteo forecast client doesn't fire. Wind readings come from the drone's own telemetry (MAVLink) or the operator's local weather station.
  • No Telegram / webhook notifications. Detection alerts and mission events stay inside the ground station. Export is operator-initiated only.

The decision engine, Safety Gate, mission planner, MAVLink bridge, pre-flight health panel, emergency controls — everything else — works identically to a non-air-gapped install. The operator sees the same UI, runs the same missions, gets the same telemetry.

Why a toggle, not just "don't configure the keys"

Cloud AI is already no-op when the API keys are blank. Weather fetches skip when the API is unreachable. Telegram and webhooks don't send when no endpoint is configured. So in principle, a customer who wanted air-gapped operation could get there by just never configuring the optional integrations.

That's not sufficient for procurement. "We don't think it calls out because we didn't enter any keys" is a soft guarantee. A procurement reviewer writing a statement of compliance wants a hard one: "the software is configured in a mode where no external network calls can be made, and that mode is visible in the UI at all times."

The toggle is the hard guarantee. It's the explicit switch that turns the soft no-op into a hard refusal. Set it once, confirm the badge shows, you're done. No need to audit every config field, no need to trust that future features won't add new external calls — the toggle is the single control point.

What it means for ICP customers

For EU government customers under GDPR / NIS2 data-residency requirements, air-gapped mode lets Overwatch be deployed without any US-hosted cloud dependency. The cloud AI providers we use by default (Anthropic, OpenAI, Google Gemini) are all US-headquartered, and their endpoints are US-based. For agencies required to keep operational data out of the US, bypassing them entirely is the simplest path.

For classified deployments, the toggle gives the security officer a single thing to verify during app inspection. Does the UI show AIR-GAPPED? Yes. Approved for operation. No need to pcap the network and prove no packets leave.

For contested-environment operations — where an adversary might be monitoring cellular and WiFi spectrum for signals — disabling every optional external call reduces the RF signature of the ground station to the minimum required for drone telemetry.

For coastguard and maritime teams who actually want cloud features (weather, notifications, cloud AI) when they have connectivity, the toggle is off by default. Normal mode stays normal. Air-gapped mode is an explicit choice for specific deployments.

What's next in Phase B

The first version of the toggle enforces at the client side for the calls we know about today. Phase B of the roadmap extends this to:

  • Server-side enforcement — the server process honours CLOUD_DISABLED too, so even if a future bug bypasses a client-side check, the server refuses to make the outbound call
  • Optional local-LLM refinement path via Ollama / Llama-3, running on the operator's Mac — so air-gapped deployments get AI refinement without any network at all
  • An audit log entry for every air-gapped-mode state change, so the audit trail shows exactly when the toggle was flipped and by which operator

If you need Overwatch in a deployment where no third-party traffic is allowed — classified, data-residency-bounded, or contested — get in touch and we'll walk through the air-gapped install + security-review pack with you.