semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
--- a/docs/features/unchecked/zastava/elf-build-id-correlation-and-dso-tracking.md
+++ b/docs/features/unchecked/zastava/elf-build-id-correlation-and-dso-tracking.md
@@ -0,0 +1,28 @@
+# ELF Build-ID Correlation and DSO Tracking
+
+## Module
+Zastava
+
+## Status
+IMPLEMENTED
+
+## Description
+ELF Build-ID reader for correlating runtime binaries with SBOM entries and collecting runtime process facts including DSO information.
+
+## Implementation Details
+- **ElfBuildIdReader**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/ElfBuildIdReader.cs` -- reads ELF Build-ID from binaries for SBOM correlation
+- **RuntimeProcessCollector**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/RuntimeProcessCollector.cs` -- collects running process information including DSO (dynamic shared object) data
+- **RuntimeFactsBuilder**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/RuntimeFactsBuilder.cs` -- builds runtime facts from process snapshots and ELF data
+- **ProcSnapshotCollector**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/ProcSnapshot/ProcSnapshotCollector.cs` -- collects /proc snapshot data for running containers
+- **DotNetAssemblyCollector**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/ProcSnapshot/DotNetAssemblyCollector.cs` -- .NET assembly DSO tracking
+- **JavaClasspathCollector**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/ProcSnapshot/JavaClasspathCollector.cs` -- Java classpath DSO tracking
+- **PhpAutoloadCollector**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/ProcSnapshot/PhpAutoloadCollector.cs` -- PHP autoload DSO tracking
+- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/Runtime/ElfBuildIdReaderTests.cs`, `RuntimeProcessCollectorTests.cs`, `RuntimeFactsBuilderTests.cs`, `TestSupport/ElfTestFileBuilder.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify ELF Build-ID extraction from container binaries matches SBOM entries
+- [ ] Test DSO tracking for .NET assemblies, Java classpaths, and PHP autoloads
+- [ ] Verify runtime facts builder produces complete process inventory with Build-IDs
+- [ ] Test correlation between ELF Build-IDs and SBOM component digests
+- [ ] Verify /proc snapshot captures all loaded shared objects for a container process
--- a/docs/features/unchecked/zastava/runtime-posture-evaluation.md
+++ b/docs/features/unchecked/zastava/runtime-posture-evaluation.md
@@ -0,0 +1,29 @@
+# Runtime Posture Evaluation
+
+## Module
+Zastava
+
+## Status
+IMPLEMENTED
+
+## Description
+Runtime posture evaluator that assesses the security posture of running containers with caching support.
+
+## Implementation Details
+- **IRuntimePostureEvaluator interface**: `src/Zastava/StellaOps.Zastava.Observer/Posture/IRuntimePostureEvaluator.cs` -- evaluates runtime security posture of containers
+- **RuntimePostureEvaluator**: `src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureEvaluator.cs` -- default posture evaluation implementation
+- **RuntimePostureEvaluationResult**: `src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureEvaluationResult.cs` -- evaluation result model
+- **IRuntimePostureCache**: `src/Zastava/StellaOps.Zastava.Observer/Posture/IRuntimePostureCache.cs` -- caching interface for posture evaluations
+- **RuntimePostureCache**: `src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureCache.cs` -- in-memory cache for posture results
+- **RuntimePostureCacheEntry**: `src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureCacheEntry.cs` -- cache entry model
+- **IRuntimePolicyClient**: `src/Zastava/StellaOps.Zastava.Observer/Backend/IRuntimePolicyClient.cs` -- client for runtime policy evaluation backend
+- **RuntimePolicyClient**: `src/Zastava/StellaOps.Zastava.Observer/Backend/RuntimePolicyClient.cs` -- runtime policy client implementation
+- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/Posture/RuntimePostureEvaluatorTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify posture evaluator assesses container security state from runtime facts
+- [ ] Test posture cache returns cached results for repeated evaluations within TTL
+- [ ] Verify posture evaluation integrates with runtime policy backend
+- [ ] Test cache invalidation on container state change
+- [ ] Verify evaluation results include posture score and risk indicators
--- a/docs/features/unchecked/zastava/verdict-observer-validator-ledger.md
+++ b/docs/features/unchecked/zastava/verdict-observer-validator-ledger.md
@@ -0,0 +1,27 @@
+# Verdict Observer/Validator/Ledger
+
+## Module
+Zastava
+
+## Status
+IMPLEMENTED
+
+## Description
+Verdict subsystem with observer, validator, and ledger interfaces for tracking security verdicts at runtime.
+
+## Implementation Details
+- **IVerdictObserver interface**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Verdicts/IVerdictObserver.cs` -- observes and records verdict decisions
+- **IVerdictValidator interface**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Verdicts/IVerdictValidator.cs` -- validates verdict integrity and consistency
+- **IVerdictLedger interface**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Verdicts/IVerdictLedger.cs` -- append-only ledger for verdict history
+- **VerdictObserverContracts**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Verdicts/VerdictObserverContracts.cs` -- verdict DTOs and contract models
+- **AdmissionDecision**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/AdmissionDecision.cs` -- admission verdict decision model
+- **ZastavaContractVersions**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/ZastavaContractVersions.cs` -- contract versioning for verdict schemas
+- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Contracts/ZastavaContractVersionsTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify verdict observer records admission decisions with full context
+- [ ] Test verdict validator checks decision integrity (hash, signature, timestamp)
+- [ ] Verify verdict ledger provides append-only history with immutable entries
+- [ ] Test contract versioning handles schema evolution
+- [ ] Verify verdict chain maintains consistency across observer restarts
--- a/docs/features/unchecked/zastava/windows-container-runtime-support.md
+++ b/docs/features/unchecked/zastava/windows-container-runtime-support.md
@@ -0,0 +1,27 @@
+# Windows Container Runtime Support
+
+## Module
+Zastava
+
+## Status
+IMPLEMENTED
+
+## Description
+Windows container runtime monitoring with ETW event source integration, PE format library hashing, and Windows-specific container lifecycle tracking within the Zastava Observer.
+
+## Implementation Details
+- **IWindowsContainerRuntimeClient interface**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Windows/IWindowsContainerRuntimeClient.cs` -- Windows-specific container runtime client
+- **DockerWindowsRuntimeClient**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Windows/DockerWindowsRuntimeClient.cs` -- Docker for Windows runtime client implementation
+- **WindowsContainerInfo**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Windows/WindowsContainerInfo.cs` -- Windows container metadata model
+- **WindowsLibraryHashCollector**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Windows/WindowsLibraryHashCollector.cs` -- PE format library hashing for Windows DLLs
+- **ContainerStateTracker**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/ContainerStateTracker.cs` -- shared container lifecycle state tracking
+- **ContainerStateTrackerFactory**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/ContainerStateTrackerFactory.cs` -- factory for creating state trackers per runtime type
+- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/ContainerRuntime/Windows/WindowsContainerRuntimeTests.cs`
+- **Source**: SPRINT_0420_0001_0001_zastava_hybrid_gaps.md
+
+## E2E Test Plan
+- [ ] Verify Docker for Windows runtime client enumerates running Windows containers
+- [ ] Test PE format library hashing collects DLL hashes for SBOM correlation
+- [ ] Verify Windows container lifecycle tracking (start/stop/restart)
+- [ ] Test container state tracker handles Windows-specific container states
+- [ ] Verify Windows library hash collector supports .NET Framework and .NET Core DLLs
--- a/docs/features/unchecked/zastava/zastava-admission-webhook.md
+++ b/docs/features/unchecked/zastava/zastava-admission-webhook.md
@@ -0,0 +1,34 @@
+# Zastava Admission Webhook
+
+## Module
+Zastava
+
+## Status
+IMPLEMENTED
+
+## Description
+Full admission webhook with policy-based container admission control, facet validation, image digest resolution, and admission review parsing.
+
+## Implementation Details
+- **AdmissionEndpoint**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionEndpoint.cs` -- webhook endpoint handling admission review requests
+- **AdmissionReviewParser**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewParser.cs` -- parses Kubernetes AdmissionReview payloads
+- **AdmissionReviewModels**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewModels.cs` -- admission review request/response models
+- **AdmissionResponseBuilder**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionResponseBuilder.cs` -- builds allow/deny responses with status and audit annotations
+- **AdmissionRequestContext**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionRequestContext.cs` -- contextual data for admission evaluation
+- **FacetAdmissionValidator**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/FacetAdmissionValidator.cs` -- facet-based validation rules
+- **ImageDigestResolver**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/ImageDigestResolver.cs` -- resolves image tags to digests
+- **RuntimeAdmissionPolicyService**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimeAdmissionPolicyService.cs` -- evaluates runtime admission policies
+- **RuntimePolicyCache**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimePolicyCache.cs` -- caches policy decisions
+- **Certificate management**: `src/Zastava/StellaOps.Zastava.Webhook/Certificates/` -- `IWebhookCertificateProvider`, `SecretFileCertificateSource`, `CsrCertificateSource`, `WebhookCertificateHealthCheck`
+- **StartupValidationHostedService**: `src/Zastava/StellaOps.Zastava.Webhook/Hosting/StartupValidationHostedService.cs` -- validates webhook configuration on startup
+- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Admission/` -- `AdmissionResponseBuilderTests.cs`, `AdmissionReviewParserTests.cs`, `FacetAdmissionValidatorTests.cs`, `RuntimeAdmissionPolicyServiceTests.cs`; `Certificates/` -- `SecretFileCertificateSourceTests.cs`, `WebhookCertificateProviderTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify webhook accepts and parses Kubernetes AdmissionReview requests
+- [ ] Test image digest resolution converts tags to sha256 digests before evaluation
+- [ ] Verify facet-based admission rules allow/deny containers based on policy
+- [ ] Test runtime admission policy service evaluates verdicts from backend
+- [ ] Verify admission response includes audit annotations for allowed/denied decisions
+- [ ] Test certificate management handles TLS renewal and health checks
+- [ ] Verify policy cache reduces latency for repeated admission evaluations
--- a/docs/features/unchecked/zastava/zastava-agent.md
+++ b/docs/features/unchecked/zastava/zastava-agent.md
@@ -0,0 +1,31 @@
+# Zastava Agent (VM/Bare-Metal Docker Socket Deployment)
+
+## Module
+Zastava
+
+## Status
+IMPLEMENTED
+
+## Description
+Standalone agent for VM and bare-metal hosts that monitors Docker socket events for container lifecycle tracking. Alternative to the CRI-based Observer for non-Kubernetes environments, with systemd service deployment and Ansible provisioning support.
+
+## Implementation Details
+- **Agent Program**: `src/Zastava/StellaOps.Zastava.Agent/Program.cs` -- standalone agent entry point
+- **DockerSocketClient**: `src/Zastava/StellaOps.Zastava.Agent/Docker/DockerSocketClient.cs` -- Docker socket client for monitoring container events via Unix/named pipe socket
+- **IDockerSocketClient**: `src/Zastava/StellaOps.Zastava.Agent/Docker/IDockerSocketClient.cs` -- Docker socket client interface
+- **DockerEventModels**: `src/Zastava/StellaOps.Zastava.Agent/Docker/DockerEventModels.cs` -- Docker event payload models (start, stop, die, etc.)
+- **DockerEventHostedService**: `src/Zastava/StellaOps.Zastava.Agent/Worker/DockerEventHostedService.cs` -- background service consuming Docker socket events
+- **RuntimeEventBuffer**: `src/Zastava/StellaOps.Zastava.Agent/Worker/RuntimeEventBuffer.cs` -- buffers runtime events for batch dispatch
+- **RuntimeEventDispatchService**: `src/Zastava/StellaOps.Zastava.Agent/Worker/RuntimeEventDispatchService.cs` -- dispatches buffered events to backend
+- **RuntimeEventsClient**: `src/Zastava/StellaOps.Zastava.Agent/Backend/RuntimeEventsClient.cs` -- HTTP client for posting events to platform backend
+- **HealthCheckHostedService**: `src/Zastava/StellaOps.Zastava.Agent/Worker/HealthCheckHostedService.cs` -- agent health check background service
+- **ZastavaAgentOptions**: `src/Zastava/StellaOps.Zastava.Agent/Configuration/ZastavaAgentOptions.cs` -- agent configuration
+- **AgentServiceCollectionExtensions**: `src/Zastava/StellaOps.Zastava.Agent/Worker/AgentServiceCollectionExtensions.cs` -- DI registration
+- **Source**: SPRINT_0420_0001_0001_zastava_hybrid_gaps.md
+
+## E2E Test Plan
+- [ ] Verify agent connects to Docker socket and receives container lifecycle events
+- [ ] Test event buffering and batch dispatch to platform backend
+- [ ] Verify agent handles Docker socket reconnection on connection loss
+- [ ] Test health check service reports agent status
+- [ ] Verify agent works on both Linux (Unix socket) and Windows (named pipe) hosts
--- a/docs/features/unchecked/zastava/zastava-contract-validators.md
+++ b/docs/features/unchecked/zastava/zastava-contract-validators.md
@@ -0,0 +1,28 @@
+# Zastava Contract Validators
+
+## Module
+Zastava
+
+## Status
+IMPLEMENTED
+
+## Description
+Runtime and admission contract validators enforcing tenant-scoped binding rules, configuration schema compliance, and threshold-based verdicts for Zastava observer and webhook components.
+
+## Implementation Details
+- **ZastavaContractValidator**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaContractValidator.cs` -- validates runtime and admission contracts against schema, tenant scoping, and threshold rules
+- **ZastavaContractVersions**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/ZastavaContractVersions.cs` -- versioned contract schemas for observer and webhook
+- **RuntimeEvent contract**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/RuntimeEvent.cs` -- runtime event contract model
+- **AdmissionDecision contract**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/AdmissionDecision.cs` -- admission decision contract model
+- **SurfaceCacheValidator**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Validation/SurfaceCacheValidator.cs` -- validates surface cache consistency
+- **ZastavaRuntimeOptions**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Configuration/ZastavaRuntimeOptions.cs` -- runtime configuration schema
+- **ZastavaSurfaceSecretsOptions**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Configuration/ZastavaSurfaceSecretsOptions.cs` -- surface secrets configuration
+- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Contracts/ZastavaContractVersionsTests.cs`, `Validation/OfflineStrictModeTests.cs`
+- **Source**: SPRINT_0144_0001_0001_zastava_runtime_signals.md
+
+## E2E Test Plan
+- [ ] Verify contract validator enforces tenant-scoped binding rules
+- [ ] Test configuration schema compliance for runtime options
+- [ ] Verify threshold-based verdict validation rejects out-of-range values
+- [ ] Test contract version compatibility checks for schema evolution
+- [ ] Verify surface cache validator detects inconsistencies
--- a/docs/features/unchecked/zastava/zastava-runtime-observer.md
+++ b/docs/features/unchecked/zastava/zastava-runtime-observer.md
@@ -0,0 +1,35 @@
+# Zastava Runtime Observer (CRI Container Lifecycle Tracking)
+
+## Module
+Zastava
+
+## Status
+IMPLEMENTED
+
+## Description
+Full CRI-based container runtime observer with lifecycle tracking, state tracking, and polling. Supports both CRI (Linux) and Docker Windows runtimes.
+
+## Implementation Details
+- **Observer Program**: `src/Zastava/StellaOps.Zastava.Observer/Program.cs` -- CRI-based observer entry point
+- **CRI runtime**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Cri/` -- `CriRuntimeClient.cs`, `CriRuntimeClientFactory.cs`, `CriModels.cs`, `CriConversions.cs` for CRI socket-based container monitoring
+- **ContainerStateTracker**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/ContainerStateTracker.cs` -- tracks container lifecycle state transitions
+- **ContainerLifecycleHostedService**: `src/Zastava/StellaOps.Zastava.Observer/Worker/ContainerLifecycleHostedService.cs` -- background service for lifecycle event processing
+- **ContainerRuntimePoller**: `src/Zastava/StellaOps.Zastava.Observer/Worker/ContainerRuntimePoller.cs` -- polls container runtime for state changes
+- **RuntimeEventBuffer**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/RuntimeEventBuffer.cs` -- buffers events before dispatch
+- **RuntimeEventDispatchService**: `src/Zastava/StellaOps.Zastava.Observer/Worker/RuntimeEventDispatchService.cs` -- dispatches events to backend
+- **RuntimeEventFactory**: `src/Zastava/StellaOps.Zastava.Observer/Worker/RuntimeEventFactory.cs` -- creates typed runtime events
+- **ObserverBootstrapService**: `src/Zastava/StellaOps.Zastava.Observer/Worker/ObserverBootstrapService.cs` -- observer startup and initialization
+- **BackoffCalculator**: `src/Zastava/StellaOps.Zastava.Observer/Worker/BackoffCalculator.cs` -- exponential backoff for retry logic
+- **RuntimeFactsClient**: `src/Zastava/StellaOps.Zastava.Observer/Backend/RuntimeFactsClient.cs` -- client for posting runtime facts to backend
+- **RuntimeEventsClient**: `src/Zastava/StellaOps.Zastava.Observer/Backend/RuntimeEventsClient.cs` -- client for posting runtime events
+- **ZastavaObserverOptions**: `src/Zastava/StellaOps.Zastava.Observer/Configuration/ZastavaObserverOptions.cs` -- observer configuration
+- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/` -- `ContainerRuntimePollerTests.cs`, `Runtime/RuntimeEventBufferTests.cs`, `Worker/RuntimeEventFactoryTests.cs`, `Backend/RuntimeEventsClientTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify CRI runtime client connects to CRI socket and lists containers
+- [ ] Test container state tracker detects start/stop/restart lifecycle events
+- [ ] Verify runtime event buffer batches and dispatches events efficiently
+- [ ] Test both Linux CRI and Windows Docker runtime support
+- [ ] Verify observer bootstrap initializes and recovers from failures with backoff
+- [ ] Test runtime facts and events are posted to backend clients
--- a/docs/features/unchecked/zastava/zastava-verdict-hashing-and-security.md
+++ b/docs/features/unchecked/zastava/zastava-verdict-hashing-and-security.md
@@ -0,0 +1,29 @@
+# Zastava Verdict Hashing and Security
+
+## Module
+Zastava
+
+## Status
+IMPLEMENTED
+
+## Description
+Deterministic verdict hashing for Zastava decisions with security-hardened serialization, supporting DSSE-signed observer and admission schemas and zastava-kit bundle verification.
+
+## Implementation Details
+- **ZastavaHashing**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Hashing/ZastavaHashing.cs` -- deterministic hashing for verdict decisions
+- **ZastavaCanonicalJsonSerializer**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Serialization/ZastavaCanonicalJsonSerializer.cs` -- RFC 8785 canonical JSON serialization for deterministic hashing
+- **IZastavaAuthorityTokenProvider**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/IZastavaAuthorityTokenProvider.cs` -- authority token provider interface
+- **ZastavaAuthorityTokenProvider**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaAuthorityTokenProvider.cs` -- OIDC-based token provider for authenticated backend communication
+- **ZastavaOperationalToken**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaOperationalToken.cs` -- operational token model
+- **AuthorityTokenProvider**: `src/Zastava/StellaOps.Zastava.Webhook/Authority/AuthorityTokenProvider.cs` -- webhook-specific token provider
+- **OfflineStrictModeHandler**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Http/OfflineStrictModeHandler.cs` -- HTTP handler enforcing offline/air-gap mode restrictions
+- **ZastavaRuntimeMetrics**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Diagnostics/ZastavaRuntimeMetrics.cs` -- metrics for security operations
+- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Security/ZastavaAuthorityTokenProviderTests.cs`, `Serialization/ZastavaCanonicalJsonSerializerTests.cs`, `Validation/OfflineStrictModeTests.cs`
+- **Source**: SPRINT_0144_0001_0001_zastava_runtime_signals.md
+
+## E2E Test Plan
+- [ ] Verify deterministic hashing produces identical hashes for equivalent verdicts
+- [ ] Test canonical JSON serialization follows RFC 8785 for reproducible output
+- [ ] Verify authority token provider obtains and refreshes OIDC tokens
+- [ ] Test offline strict mode blocks external HTTP calls in air-gapped deployments
+- [ ] Verify verdict hash chain integrity across observer restarts