stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat(zastava): add evidence locker plan and schema examples

Browse Source 
- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps.
- Added example JSON schemas for observer events and webhook admissions.
- Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control.
- Created alert rules for Vuln Explorer to monitor API latency and projection errors.
- Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails.
- Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization.
- Added expected projection SHA256 for vulnerability events.
- Created k6 load testing script for Vuln Explorer API.
- Added sample projection and replay event data for testing.
- Implemented ReplayInputsLock for deterministic replay inputs management.
- Developed tests for ReplayInputsLock to ensure stable hash computation.
- Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity.
- Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality.
- Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
This commit is contained in:
StellaOps Bot
2025-12-02 09:27:31 +02:00
parent 885ce86af4
commit 2d08f52715
74 changed files with 1690 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/modules/zastava/evidence/README.md Normal file
View File

@@ -0,0 +1,29 @@
# Zastava Evidence Locker Plan (schemas/kit)
Artifacts to sign (target 2025-12-06):
- `schemas/observer_event.schema.json` — predicate `stella.ops/zastavaSchema@v1`
- `schemas/webhook_admission.schema.json` — predicate `stella.ops/zastavaSchema@v1`
- `thresholds.yaml` — predicate `stella.ops/zastavaThresholds@v1`
- `zastava-kit.tzst` + `SHA256SUMS` — predicate `stella.ops/zastavaKit@v1`
Planned Evidence Locker paths (fill after signing):
- `evidence-locker/zastava/2025-12-06/observer_event.schema.dsse`
- `evidence-locker/zastava/2025-12-06/webhook_admission.schema.dsse`
- `evidence-locker/zastava/2025-12-06/thresholds.dsse`
- `evidence-locker/zastava/2025-12-06/zastava-kit.tzst`
- `evidence-locker/zastava/2025-12-06/SHA256SUMS`
Signing template (replace KEY and file):
```bash
cosign sign-blob \
--key cosign.key \
--predicate-type stella.ops/zastavaSchema@v1 \
--output-signature schemas/observer_event.schema.dsse \
schemas/observer_event.schema.json
```
Post-sign steps:
1) Verify DSSEs with `cosign verify-blob` using `cosign.pub`.
2) Upload DSSEs + SHA256SUMS to Evidence Locker paths above.
3) Update `docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md` Decisions & Risks and Next Checkpoints with final URIs.
4) Mark tasks ZASTAVA-SCHEMAS-0001 / ZASTAVA-THRESHOLDS-0001 / ZASTAVA-KIT-0001 to DONE in both sprint and TASKS tables.