feat(zastava): add evidence locker plan and schema examples

- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps. - Added example JSON schemas for observer events and webhook admissions. - Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control. - Created alert rules for Vuln Explorer to monitor API latency and projection errors. - Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails. - Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization. - Added expected projection SHA256 for vulnerability events. - Created k6 load testing script for Vuln Explorer API. - Added sample projection and replay event data for testing. - Implemented ReplayInputsLock for deterministic replay inputs management. - Developed tests for ReplayInputsLock to ensure stable hash computation. - Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity. - Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality. - Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
2025-12-02 09:27:31 +02:00
parent 885ce86af4
commit 2d08f52715
74 changed files with 1690 additions and 131 deletions
--- a/docs/modules/zastava/SHA256SUMS
+++ b/docs/modules/zastava/SHA256SUMS
@@ -3,3 +3,5 @@ f466bf2b399f065558867eaf3c961cff8803f4a1506bae5539c9ce62e9ab005d  schemas/webhoo
 40fabd4d7bc75c35ae063b2e931e79838c79b447528440456f5f4846951ff59d  thresholds.yaml
 652fce7d7b622ae762c8fb65a1e592bec14b124c3273312f93a63d2c29a2b989  kit/verify.sh
 f3f84fbe780115608268a91a5203d2d3ada50b4317e7641d88430a692e61e1f4  kit/README.md
+2411a16a68c98c8fdd402e19b9c29400b469c0054d0b6067541ee343988b85e0  schemas/examples/observer_event.example.json
+4ab47977b0717c8bdb39c52f52880742785cbcf0b5ba73d9ecc835155d445dc1  schemas/examples/webhook_admission.example.json
--- a/docs/modules/zastava/TASKS.md
+++ b/docs/modules/zastava/TASKS.md
@@ -7,6 +7,7 @@
 | ZASTAVA-OPS-0001 | DONE (2025-11-30) | Ops Guild | Observability runbook stub + Grafana JSON placeholder added under `operations/`. |
 | ZASTAVA-SCHEMAS-0001 | TODO | Zastava Guild | Publish signed observer/admission schemas + test vectors under `docs/modules/zastava/schemas/`; DSSE + SHA256 required. |
 | ZASTAVA-KIT-0001 | TODO | Zastava Guild | Build signed `zastava-kit` bundle with thresholds.yaml, schemas, observations/admissions export, SHA256SUMS, and verify.sh; ensure offline parity. |
+| ZASTAVA-THRESHOLDS-0001 | TODO | Zastava Guild | DSSE-sign `thresholds.yaml` and align with kit; publish Evidence Locker URI and update sprint 0144 checkpoints. |
 | ZASTAVA-GAPS-144-007 | DONE (2025-12-02) | Zastava Guild | Remediation plan for ZR1–ZR10 published at `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md`; follow-on schemas/kit/thresholds to be produced and signed. |

 > Keep this table in lockstep with the sprint Delivery Tracker (TODO/DOING/DONE/BLOCKED updates go to both places).
--- a/docs/modules/zastava/evidence/README.md
+++ b/docs/modules/zastava/evidence/README.md
@@ -0,0 +1,29 @@
+# Zastava Evidence Locker Plan (schemas/kit)
+
+Artifacts to sign (target 2025-12-06):
+- `schemas/observer_event.schema.json` — predicate `stella.ops/zastavaSchema@v1`
+- `schemas/webhook_admission.schema.json` — predicate `stella.ops/zastavaSchema@v1`
+- `thresholds.yaml` — predicate `stella.ops/zastavaThresholds@v1`
+- `zastava-kit.tzst` + `SHA256SUMS` — predicate `stella.ops/zastavaKit@v1`
+
+Planned Evidence Locker paths (fill after signing):
+- `evidence-locker/zastava/2025-12-06/observer_event.schema.dsse`
+- `evidence-locker/zastava/2025-12-06/webhook_admission.schema.dsse`
+- `evidence-locker/zastava/2025-12-06/thresholds.dsse`
+- `evidence-locker/zastava/2025-12-06/zastava-kit.tzst`
+- `evidence-locker/zastava/2025-12-06/SHA256SUMS`
+
+Signing template (replace KEY and file):
+```bash
+cosign sign-blob \
+  --key cosign.key \
+  --predicate-type stella.ops/zastavaSchema@v1 \
+  --output-signature schemas/observer_event.schema.dsse \
+  schemas/observer_event.schema.json
+```
+
+Post-sign steps:
+1) Verify DSSEs with `cosign verify-blob` using `cosign.pub`.
+2) Upload DSSEs + SHA256SUMS to Evidence Locker paths above.
+3) Update `docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md` Decisions & Risks and Next Checkpoints with final URIs.
+4) Mark tasks ZASTAVA-SCHEMAS-0001 / ZASTAVA-THRESHOLDS-0001 / ZASTAVA-KIT-0001 to DONE in both sprint and TASKS tables.
--- a/docs/modules/zastava/kit/README.md
+++ b/docs/modules/zastava/kit/README.md
@@ -10,3 +10,8 @@ Contents to include when built:
 Deterministic packaging: `tar --mtime @0 --owner 0 --group 0 --numeric-owner -cf - kit | zstd -19 --long=27 --no-progress > zastava-kit.tzst`.

 Pending: fill with signed artefacts and Evidence Locker URIs after DSSE signing.
+Planned Evidence Locker paths (post-signing):
+- `evidence-locker/zastava/2025-12-06/observer_event.schema.dsse`
+- `evidence-locker/zastava/2025-12-06/webhook_admission.schema.dsse`
+- `evidence-locker/zastava/2025-12-06/thresholds.dsse`
+- `evidence-locker/zastava/2025-12-06/zastava-kit.tzst` + `SHA256SUMS`
--- a/docs/modules/zastava/kit/verify.sh
+++ b/docs/modules/zastava/kit/verify.sh
@@ -8,7 +8,17 @@ if ! command -v sha256sum >/dev/null; then
 fi

 sha256sum --check SHA256SUMS
-# TODO: add DSSE verification once signatures are available; placeholder below
-# cosign verify-blob --key cosign.pub --signature observer_event.schema.json.sig observer_event.schema.json
+if command -v cosign >/dev/null && [ -f cosign.pub ]; then
+  echo "cosign present; DSSE verification placeholders (update paths when signed):"
+  echo "- observer_event.schema.dsse"
+  echo "- webhook_admission.schema.dsse"
+  echo "- thresholds.dsse"
+  # Example commands (uncomment once DSSE files exist):
+  # cosign verify-blob --key cosign.pub --signature observer_event.schema.dsse schemas/observer_event.schema.json
+  # cosign verify-blob --key cosign.pub --signature webhook_admission.schema.dsse schemas/webhook_admission.schema.json
+  # cosign verify-blob --key cosign.pub --signature thresholds.dsse thresholds.yaml
+else
+  echo "cosign not found or cosign.pub missing; skipped DSSE verification"
+fi

 echo "OK: hashes verified (DSSE verification pending)"
--- a/docs/modules/zastava/schemas/examples/observer_event.example.json
+++ b/docs/modules/zastava/schemas/examples/observer_event.example.json
@@ -0,0 +1,19 @@
+{
+  "tenant_id": "tenant-a",
+  "project_id": "proj-123",
+  "sensor_id": "observer-01",
+  "firmware_version": "1.2.3",
+  "policy_hash": "sha256:deadbeef",
+  "graph_revision_id": "graph-r1",
+  "ledger_id": "ledger-789",
+  "replay_manifest": "manifest-r1",
+  "event_type": "runtime_fact",
+  "observed_at": "2025-12-02T00:00:00Z",
+  "monotonic_nanos": 123456789,
+  "payload": {
+    "process": "nginx",
+    "pid": 4242
+  },
+  "payload_hash": "sha256:payloadhash",
+  "signature": "dsse://observer-event"
+}
--- a/docs/modules/zastava/schemas/examples/webhook_admission.example.json
+++ b/docs/modules/zastava/schemas/examples/webhook_admission.example.json
@@ -0,0 +1,21 @@
+{
+  "tenant_id": "tenant-a",
+  "project_id": "proj-123",
+  "request_uid": "abcd-1234",
+  "resource_kind": "Deployment",
+  "namespace": "prod",
+  "workload_name": "api",
+  "policy_hash": "sha256:deadbeef",
+  "graph_revision_id": "graph-r1",
+  "ledger_id": "ledger-789",
+  "replay_manifest": "manifest-r1",
+  "manifest_pointer": "surfacefs://cache/sha256:abc",
+  "decision": "allow",
+  "decision_reason": "surface cache fresh",
+  "decision_at": "2025-12-02T00:00:00Z",
+  "monotonic_nanos": 2233445566,
+  "side_effect": "none",
+  "bypass_waiver_id": null,
+  "payload_hash": "sha256:payloadhash",
+  "signature": "dsse://webhook-admission"
+}