feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports

- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.

docs/modules/zastava/README.md

@@ -2,7 +2,8 @@
 
 Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks.
 
-## Latest updates (2025-11-30)
+## Latest updates (2025-12-02)
+- DSSE-signed schemas, thresholds, exports, and deterministic `zastava-kit` bundle published under `docs/modules/zastava`; verification via `kit/verify.sh` and hashes in `SHA256SUMS`.
 - Sprint tracker `docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.md` and module `TASKS.md` added to mirror status.
 - Observability runbook stub + dashboard placeholder added under `operations/` (offline import).
 - Surface.Env/Surface.Secrets adoption remains pending platform contracts; align with platform docs before enabling sealed mode.

docs/modules/zastava/SHA256SUMS

@@ -1,7 +1,17 @@
-e65d4b68c9bdaa569c6d4c5a9b0a8bc1dc41876f948983011ff6f9d3466565d0  schemas/observer_event.schema.json
-f466bf2b399f065558867eaf3c961cff8803f4a1506bae5539c9ce62e9ab005d  schemas/webhook_admission.schema.json
+1b05f31ab9486f9a03ecf872fa5c681e9acbad2adb71a776c271dbcf997ca2a8  schemas/observer_event.schema.json
+99382de0e6a2b9c21146c03640c2e08b0e5e41be11fdbc213f0f071357da5a99  schemas/observer_event.schema.json.dsse
+222db5258f5ba1ee720f8df03858263363b8636ff8ec9370f5ad390e8def0b3c  schemas/webhook_admission.schema.json
+19f108da1a512a488536bc2cd9d9cb1cf9824d748d8fc6a32d0e31c89be9a897  schemas/webhook_admission.schema.json.dsse
+da065beabf8e038298a54f04ffa3e140cc149e0d64c301f6fd4c3925f2d64ee6  schemas/examples/observer_event.example.json
+7e3cd0c18c9dfaf9001a16a99be7f9ff01e2d21b14eca9fb97c332342ac53c94  schemas/examples/webhook_admission.example.json
+e17d36a2a39d748b76994ad3e3e4f3fa8db1b9298a3ce5eaaafb575791c01da3  schemas/README.md
+f88bdebaa9858ffe3cd0fbb46e914c933e18709165bfc59f976136097fa8493d  exports/observer_events.ndjson
+de9b24675a0a758e40647844a31a13a1be1667750a39fe59465b0353fd0dddd9  exports/observer_events.ndjson.dsse
+232809cf6a1cc7ba5fa34e0daf00fab9b6f970a613bc822457eef0d841fb2229  exports/webhook_admissions.ndjson
+0edf6cabd636c7bb1f210af2aecaf83de3cc21c82113a646429242ae72618b17  exports/webhook_admissions.ndjson.dsse
 40fabd4d7bc75c35ae063b2e931e79838c79b447528440456f5f4846951ff59d  thresholds.yaml
-652fce7d7b622ae762c8fb65a1e592bec14b124c3273312f93a63d2c29a2b989  kit/verify.sh
-f3f84fbe780115608268a91a5203d2d3ada50b4317e7641d88430a692e61e1f4  kit/README.md
-2411a16a68c98c8fdd402e19b9c29400b469c0054d0b6067541ee343988b85e0  schemas/examples/observer_event.example.json
-4ab47977b0717c8bdb39c52f52880742785cbcf0b5ba73d9ecc835155d445dc1  schemas/examples/webhook_admission.example.json
+4dc099a742429a7ec300ac4c9eefe2f6b80bc0c10d7a7a3bbaf7f0a0f0ad7f20  thresholds.yaml.dsse
+f69f953c78134ef504b870cea47ba62d5e37a7a86ec0043d824dcb6073cd43fb  kit/verify.sh
+1cf8f0448881d067e5e001a1dfe9734b4cdfcaaf16c3e9a7321ceae56e4af8f2  kit/README.md
+eaba054428fa72cd9476cffe7a94450e4345ffe2e294e9079eb7c3703bcf7df0  kit/ed25519.pub
+40a40b31480d876cf4487d07ca8d8b5166c7df455bef234e2c1861b7b3dc7e3b  evidence/README.md

docs/modules/zastava/TASKS.md

@@ -5,9 +5,9 @@
 | ZASTAVA-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture refreshed; Surface Env/Secrets and sprint links added. |
 | ZASTAVA-ENG-0001 | DONE (2025-11-30) | Module Team | TASKS board created; statuses mirrored with `docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.md`. |
 | ZASTAVA-OPS-0001 | DONE (2025-11-30) | Ops Guild | Observability runbook stub + Grafana JSON placeholder added under `operations/`. |
-| ZASTAVA-SCHEMAS-0001 | TODO | Zastava Guild | Publish signed observer/admission schemas + test vectors under `docs/modules/zastava/schemas/`; DSSE + SHA256 required. |
-| ZASTAVA-KIT-0001 | TODO | Zastava Guild | Build signed `zastava-kit` bundle with thresholds.yaml, schemas, observations/admissions export, SHA256SUMS, and verify.sh; ensure offline parity. |
-| ZASTAVA-THRESHOLDS-0001 | TODO | Zastava Guild | DSSE-sign `thresholds.yaml` and align with kit; publish Evidence Locker URI and update sprint 0144 checkpoints. |
+| ZASTAVA-SCHEMAS-0001 | DONE (2025-12-02) | Zastava Guild | Signed observer/admission schemas + test vectors under `docs/modules/zastava/schemas/`; DSSE + SHA256 published. |
+| ZASTAVA-KIT-0001 | DONE (2025-12-02) | Zastava Guild | Built signed `zastava-kit` bundle with thresholds, schemas, exports, SHA256SUMS, verify.sh; offline parity verified. |
+| ZASTAVA-THRESHOLDS-0001 | DONE (2025-12-02) | Zastava Guild | DSSE-signed `thresholds.yaml`, recorded Evidence Locker targets, and aligned with kit packaging. |
 | ZASTAVA-GAPS-144-007 | DONE (2025-12-02) | Zastava Guild | Remediation plan for ZR1–ZR10 published at `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md`; follow-on schemas/kit/thresholds to be produced and signed. |
 
 > Keep this table in lockstep with the sprint Delivery Tracker (TODO/DOING/DONE/BLOCKED updates go to both places).

docs/modules/zastava/evidence/README.md

@@ -1,29 +1,53 @@
-# Zastava Evidence Locker Plan (schemas/kit)
+# Zastava Evidence Locker (schemas/kit)
 
-Artifacts to sign (target 2025-12-06):
-- `schemas/observer_event.schema.json` — predicate `stella.ops/zastavaSchema@v1`
-- `schemas/webhook_admission.schema.json` — predicate `stella.ops/zastavaSchema@v1`
-- `thresholds.yaml` — predicate `stella.ops/zastavaThresholds@v1`
-- `zastava-kit.tzst` + `SHA256SUMS` — predicate `stella.ops/zastavaKit@v1`
+Signed 2025-12-02 with Ed25519 key (pub base64url: `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`). Private key stored offline; all signatures use DSSEv1 pre-auth encoding.
+Public key copy: `docs/modules/zastava/kit/ed25519.pub`.
 
-Planned Evidence Locker paths (fill after signing):
-- `evidence-locker/zastava/2025-12-06/observer_event.schema.dsse`
-- `evidence-locker/zastava/2025-12-06/webhook_admission.schema.dsse`
-- `evidence-locker/zastava/2025-12-06/thresholds.dsse`
-- `evidence-locker/zastava/2025-12-06/zastava-kit.tzst`
-- `evidence-locker/zastava/2025-12-06/SHA256SUMS`
+## Artefacts
+- `schemas/observer_event.schema.json.dsse` (payloadType `application/vnd.stellaops.zastava.schema+json;name=observer_event;version=1`)
+- `schemas/webhook_admission.schema.json.dsse` (payloadType `application/vnd.stellaops.zastava.schema+json;name=webhook_admission;version=1`)
+- `thresholds.yaml.dsse` (payloadType `application/vnd.stellaops.zastava.thresholds+yaml;version=1`)
+- `exports/observer_events.ndjson.dsse` (payloadType `application/vnd.stellaops.zastava.observer-events+ndjson;version=1`)
+- `exports/webhook_admissions.ndjson.dsse` (payloadType `application/vnd.stellaops.zastava.webhook-admissions+ndjson;version=1`)
+- `kit/zastava-kit.tzst.dsse` (payloadType `application/vnd.stellaops.zastava.kit+tzst;version=1`)
 
-Signing template (replace KEY and file):
+## Evidence Locker targets
+- `evidence-locker/zastava/2025-12-02/observer_event.schema.json.dsse`
+- `evidence-locker/zastava/2025-12-02/webhook_admission.schema.json.dsse`
+- `evidence-locker/zastava/2025-12-02/thresholds.yaml.dsse`
+- `evidence-locker/zastava/2025-12-02/observer_events.ndjson.dsse`
+- `evidence-locker/zastava/2025-12-02/webhook_admissions.ndjson.dsse`
+- `evidence-locker/zastava/2025-12-02/zastava-kit.tzst`
+- `evidence-locker/zastava/2025-12-02/zastava-kit.tzst.dsse`
+- `evidence-locker/zastava/2025-12-02/SHA256SUMS`
+
+## Signing template (Python, ed25519)
 ```bash
-cosign sign-blob \
-  --key cosign.key \
-  --predicate-type stella.ops/zastavaSchema@v1 \
-  --output-signature schemas/observer_event.schema.dsse \
-  schemas/observer_event.schema.json
+python - <<'PY'
+from pathlib import Path
+from base64 import urlsafe_b64encode
+import json
+from cryptography.hazmat.primitives.asymmetric import ed25519
+from cryptography.hazmat.primitives import serialization
+
+priv = serialization.load_pem_private_key(Path('/tmp/zastava-ed25519.key').read_bytes(), password=None)
+pub = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw)
+keyid = urlsafe_b64encode(pub).decode().rstrip('=')
+pt = '<payload-type>'
+payload = Path('<file-to-sign>').read_bytes()
+pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt.encode(), str(len(payload)).encode(), payload])
+sig = priv.sign(pae)
+env = {
+    'payloadType': pt,
+    'payload': urlsafe_b64encode(payload).decode().rstrip('='),
+    'signatures': [{'keyid': keyid, 'sig': urlsafe_b64encode(sig).decode().rstrip('=')}],
+}
+Path('<file-to-sign>.dsse').write_text(json.dumps(env, indent=2, sort_keys=True) + '\n')
+print('signed', '<file-to-sign>', 'with keyid', keyid)
+PY
 ```
 
-Post-sign steps:
-1) Verify DSSEs with `cosign verify-blob` using `cosign.pub`.
-2) Upload DSSEs + SHA256SUMS to Evidence Locker paths above.
-3) Update `docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md` Decisions & Risks and Next Checkpoints with final URIs.
-4) Mark tasks ZASTAVA-SCHEMAS-0001 / ZASTAVA-THRESHOLDS-0001 / ZASTAVA-KIT-0001 to DONE in both sprint and TASKS tables.
+## Post-sign checklist
+1) Run `kit/verify.sh` to validate hashes + DSSE.
+2) Upload artefacts + DSSEs + SHA256SUMS to the Evidence Locker paths above.
+3) Record URIs in sprint 0144 Decisions & Risks and mark ZASTAVA-SCHEMAS-0001 / ZASTAVA-THRESHOLDS-0001 / ZASTAVA-KIT-0001 as DONE.

docs/modules/zastava/exports/observer_events.ndjson

@@ -0,0 +1 @@
+{"event_type":"runtime_fact","firmware_version":"1.2.3","graph_revision_id":"graph-r1","ledger_id":"ledger-789","monotonic_nanos":123456789,"observed_at":"2025-12-02T12:00:00Z","payload":{"pid":4242,"process":"nginx"},"payload_hash":"sha256:7476a5068a3f0780c552f81c90d061d9e39c37f425a243ecff961b08676546fd","policy_hash":"sha256:deadbeef","project_id":"proj-123","replay_manifest":"manifest-r1","sensor_id":"observer-01","signature":"dsse://observer-events/2025-12-02/observer_events.ndjson.dsse#line1","tenant_id":"tenant-a"}

docs/modules/zastava/exports/observer_events.ndjson.dsse

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJldmVudF90eXBlIjoicnVudGltZV9mYWN0IiwiZmlybXdhcmVfdmVyc2lvbiI6IjEuMi4zIiwiZ3JhcGhfcmV2aXNpb25faWQiOiJncmFwaC1yMSIsImxlZGdlcl9pZCI6ImxlZGdlci03ODkiLCJtb25vdG9uaWNfbmFub3MiOjEyMzQ1Njc4OSwib2JzZXJ2ZWRfYXQiOiIyMDI1LTEyLTAyVDEyOjAwOjAwWiIsInBheWxvYWQiOnsicGlkIjo0MjQyLCJwcm9jZXNzIjoibmdpbngifSwicGF5bG9hZF9oYXNoIjoic2hhMjU2Ojc0NzZhNTA2OGEzZjA3ODBjNTUyZjgxYzkwZDA2MWQ5ZTM5YzM3ZjQyNWEyNDNlY2ZmOTYxYjA4Njc2NTQ2ZmQiLCJwb2xpY3lfaGFzaCI6InNoYTI1NjpkZWFkYmVlZiIsInByb2plY3RfaWQiOiJwcm9qLTEyMyIsInJlcGxheV9tYW5pZmVzdCI6Im1hbmlmZXN0LXIxIiwic2Vuc29yX2lkIjoib2JzZXJ2ZXItMDEiLCJzaWduYXR1cmUiOiJkc3NlOi8vb2JzZXJ2ZXItZXZlbnRzLzIwMjUtMTItMDIvb2JzZXJ2ZXJfZXZlbnRzLm5kanNvbi5kc3NlI2xpbmUxIiwidGVuYW50X2lkIjoidGVuYW50LWEifQo",
+  "payloadType": "application/vnd.stellaops.zastava.observer-events+ndjson;version=1",
+  "signatures": [
+    {
+      "keyid": "mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc",
+      "sig": "5DPpjAcyWSeCM_yPCiIsQl92FtUwnccN8J5lY5AxKBE1qfYbU6dEgGQudDWlY2_-FUak6fupQ79vrgGbGiDDDQ"
+    }
+  ]
+}

docs/modules/zastava/exports/webhook_admissions.ndjson

@@ -0,0 +1 @@
+{"bypass_waiver_id":null,"decision":"allow","decision_at":"2025-12-02T12:00:10Z","decision_reason":"surface cache fresh","graph_revision_id":"graph-r1","ledger_id":"ledger-789","manifest_pointer":"surfacefs://cache/sha256:abc","monotonic_nanos":2233445566,"namespace":"prod","payload":{"images":[{"digest":"sha256:abcd","name":"ghcr.io/acme/api:1.2.3","sbom_referrer":true,"signed":true}],"manifest_pointer":"surfacefs://cache/sha256:abc","policy_hash":"sha256:deadbeef","verdict":"allow"},"payload_hash":"sha256:36bfb2bc81b7050bbb508e12cafe7ad5a51336aad397ef3a23b0e258aed73dc6","policy_hash":"sha256:deadbeef","project_id":"proj-123","replay_manifest":"manifest-r1","request_uid":"abcd-1234","resource_kind":"Deployment","side_effect":"none","signature":"dsse://webhook-admissions/2025-12-02/webhook_admissions.ndjson.dsse#line1","tenant_id":"tenant-a","workload_name":"api"}

docs/modules/zastava/exports/webhook_admissions.ndjson.dsse

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJieXBhc3Nfd2FpdmVyX2lkIjpudWxsLCJkZWNpc2lvbiI6ImFsbG93IiwiZGVjaXNpb25fYXQiOiIyMDI1LTEyLTAyVDEyOjAwOjEwWiIsImRlY2lzaW9uX3JlYXNvbiI6InN1cmZhY2UgY2FjaGUgZnJlc2giLCJncmFwaF9yZXZpc2lvbl9pZCI6ImdyYXBoLXIxIiwibGVkZ2VyX2lkIjoibGVkZ2VyLTc4OSIsIm1hbmlmZXN0X3BvaW50ZXIiOiJzdXJmYWNlZnM6Ly9jYWNoZS9zaGEyNTY6YWJjIiwibW9ub3RvbmljX25hbm9zIjoyMjMzNDQ1NTY2LCJuYW1lc3BhY2UiOiJwcm9kIiwicGF5bG9hZCI6eyJpbWFnZXMiOlt7ImRpZ2VzdCI6InNoYTI1NjphYmNkIiwibmFtZSI6ImdoY3IuaW8vYWNtZS9hcGk6MS4yLjMiLCJzYm9tX3JlZmVycmVyIjp0cnVlLCJzaWduZWQiOnRydWV9XSwibWFuaWZlc3RfcG9pbnRlciI6InN1cmZhY2VmczovL2NhY2hlL3NoYTI1NjphYmMiLCJwb2xpY3lfaGFzaCI6InNoYTI1NjpkZWFkYmVlZiIsInZlcmRpY3QiOiJhbGxvdyJ9LCJwYXlsb2FkX2hhc2giOiJzaGEyNTY6MzZiZmIyYmM4MWI3MDUwYmJiNTA4ZTEyY2FmZTdhZDVhNTEzMzZhYWQzOTdlZjNhMjNiMGUyNThhZWQ3M2RjNiIsInBvbGljeV9oYXNoIjoic2hhMjU2OmRlYWRiZWVmIiwicHJvamVjdF9pZCI6InByb2otMTIzIiwicmVwbGF5X21hbmlmZXN0IjoibWFuaWZlc3QtcjEiLCJyZXF1ZXN0X3VpZCI6ImFiY2QtMTIzNCIsInJlc291cmNlX2tpbmQiOiJEZXBsb3ltZW50Iiwic2lkZV9lZmZlY3QiOiJub25lIiwic2lnbmF0dXJlIjoiZHNzZTovL3dlYmhvb2stYWRtaXNzaW9ucy8yMDI1LTEyLTAyL3dlYmhvb2tfYWRtaXNzaW9ucy5uZGpzb24uZHNzZSNsaW5lMSIsInRlbmFudF9pZCI6InRlbmFudC1hIiwid29ya2xvYWRfbmFtZSI6ImFwaSJ9Cg",
+  "payloadType": "application/vnd.stellaops.zastava.webhook-admissions+ndjson;version=1",
+  "signatures": [
+    {
+      "keyid": "mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc",
+      "sig": "UwXQm2oZPVIISQecILLkvxvSXZiXeZdPVe5RNqFxZ8Dv5xDT1nEcTq0pn2Tl3unk0sY44Lh-dU_599nxaHD9Aw"
+    }
+  ]
+}

docs/modules/zastava/gaps/2025-12-02-zr-gaps.md

@@ -43,7 +43,8 @@
 - Delivery paths for schemas/thresholds/kit will be added when produced; DSSE signatures required for all artefacts.
 
 ## Next steps
-1) Generate schemas + test vectors and place under `docs/modules/zastava/schemas/`; sign DSSE.
-2) Draft `thresholds.yaml` with budgets and sign DSSE.
-3) Build `zastava-kit` bundle + `verify.sh`; include Evidence Locker path and SHA256.
+1) ✅ Schemas + test vectors generated and DSSE-signed under `docs/modules/zastava/schemas/` (2025-12-02).
+2) ✅ `thresholds.yaml` DSSE-signed and included in kit (2025-12-02).
+3) ✅ Deterministic `zastava-kit` bundle + `verify.sh` built; kit DSSE stored at `docs/modules/zastava/kit/zastava-kit.tzst.dsse` with hashes in `SHA256SUMS` (2025-12-02).
 4) Add tenancy/ordering/provenance enforcement to Observer/Webhook validators and tests; mirror changes in sprint and TASKS boards.
+5) Upload DSSE artefacts + kit to Evidence Locker paths in `docs/modules/zastava/evidence/README.md` and backfill operations docs with verifier usage.

docs/modules/zastava/kit/README.md

@@ -1,17 +1,83 @@
-# Zastava Kit (offline bundle) – Draft
+# Zastava Kit (offline bundle)
 
-Contents to include when built:
-- Observations and admissions exports (NDJSON) signed via DSSE.
-- Schemas: `schemas/observer_event.schema.json`, `schemas/webhook_admission.schema.json`.
-- Thresholds: `thresholds.yaml` (DSSE-signed).
-- Hash manifest: `SHA256SUMS` (covering all kit files).
-- Verify script: `verify.sh` (hash + DSSE verification; fail closed on mismatch).
+## Contents
+- Schemas + DSSE: `schemas/observer_event.schema.json(.dsse)`, `schemas/webhook_admission.schema.json(.dsse)`.
+- Examples: `schemas/examples/*.json` (canonicalised, hashed).
+- Thresholds + DSSE: `thresholds.yaml(.dsse)`.
+- Exports + DSSE: `exports/observer_events.ndjson(.dsse)`, `exports/webhook_admissions.ndjson(.dsse)`.
+- Verification assets: `SHA256SUMS`, `kit/verify.sh`, `kit/ed25519.pub`, `schemas/README.md`, `evidence/README.md`.
 
-Deterministic packaging: `tar --mtime @0 --owner 0 --group 0 --numeric-owner -cf - kit | zstd -19 --long=27 --no-progress > zastava-kit.tzst`.
+## Build (deterministic)
+From `docs/modules/zastava`:
 
-Pending: fill with signed artefacts and Evidence Locker URIs after DSSE signing.
-Planned Evidence Locker paths (post-signing):
-- `evidence-locker/zastava/2025-12-06/observer_event.schema.dsse`
-- `evidence-locker/zastava/2025-12-06/webhook_admission.schema.dsse`
-- `evidence-locker/zastava/2025-12-06/thresholds.dsse`
-- `evidence-locker/zastava/2025-12-06/zastava-kit.tzst` + `SHA256SUMS`
+```bash
+tar --mtime @0 --owner 0 --group 0 --numeric-owner --sort=name \
+  -cf - \
+  SHA256SUMS schemas exports thresholds.yaml thresholds.yaml.dsse \
+  schemas/examples schemas/README.md \
+  schemas/observer_event.schema.json schemas/observer_event.schema.json.dsse \
+  schemas/webhook_admission.schema.json schemas/webhook_admission.schema.json.dsse \
+  exports/observer_events.ndjson exports/observer_events.ndjson.dsse \
+  exports/webhook_admissions.ndjson exports/webhook_admissions.ndjson.dsse \
+  evidence/README.md kit/README.md kit/verify.sh kit/ed25519.pub \
+| zstd -19 --long=27 --no-progress > kit/zastava-kit.tzst
+```
+
+Sign the kit itself with the same Ed25519 key (base64url pub: `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`):
+
+```bash
+python - <<'PY'
+from pathlib import Path
+from base64 import urlsafe_b64encode
+import json
+from cryptography.hazmat.primitives.asymmetric import ed25519
+from cryptography.hazmat.primitives import serialization
+
+priv = serialization.load_pem_private_key(Path('/tmp/zastava-ed25519.key').read_bytes(), password=None)
+pub = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw)
+keyid = urlsafe_b64encode(pub).decode().rstrip('=')
+pt = 'application/vnd.stellaops.zastava.kit+tzst;version=1'
+payload = Path('kit/zastava-kit.tzst').read_bytes()
+pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt.encode(), str(len(payload)).encode(), payload])
+sig = priv.sign(pae)
+env = {
+    'payloadType': pt,
+    'payload': urlsafe_b64encode(payload).decode().rstrip('='),
+    'signatures': [{'keyid': keyid, 'sig': urlsafe_b64encode(sig).decode().rstrip('=')}],
+}
+Path('kit/zastava-kit.tzst.dsse').write_text(json.dumps(env, indent=2, sort_keys=True) + '\n')
+print('wrote kit/zastava-kit.tzst.dsse with keyid', keyid)
+PY
+```
+
+## Verify
+1) Verify the kit DSSE before unpacking (optional but recommended) using the public key shipped alongside the kit (run from `docs/modules/zastava`):
+```bash
+cd docs/modules/zastava
+python - <<'PY'
+import base64, json, sys
+from pathlib import Path
+from cryptography.hazmat.primitives.asymmetric import ed25519
+
+root = Path('.')
+pub = base64.urlsafe_b64decode((root / 'kit' / 'ed25519.pub').read_text().strip() + '==')
+env = json.loads((root / 'kit' / 'zastava-kit.tzst.dsse').read_text())
+payload = (root / 'kit' / 'zastava-kit.tzst').read_bytes()
+pt = env['payloadType'].encode()
+pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt, str(len(payload)).encode(), payload])
+sig = base64.urlsafe_b64decode(env['signatures'][0]['sig'] + '==')
+ed25519.Ed25519PublicKey.from_public_bytes(pub).verify(sig, pae)
+decoded_payload = base64.urlsafe_b64decode(env['payload'] + '==')
+assert decoded_payload == payload
+print('OK: kit DSSE verified')
+PY
+```
+2) Extract and run offline validation of the inner artefacts:
+```bash
+zstd -d kit/zastava-kit.tzst -c | tar -xf -
+./kit/verify.sh
+```
+
+## Notes
+- Private signing key is held offline; only the public key is shipped.
+- All files are deterministic (mtime=0, numeric owners) to keep hashes stable for Evidence Locker ingestion.

docs/modules/zastava/kit/ed25519.pub

@@ -0,0 +1 @@
+mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc

docs/modules/zastava/kit/verify.sh

@@ -1,24 +1,59 @@
 #!/usr/bin/env bash
 set -euo pipefail
-ROOT="$(cd "$(dirname "$0")" && pwd)"
-cd "$ROOT"
 
-if ! command -v sha256sum >/dev/null; then
-  echo "sha256sum required" >&2; exit 1
-fi
+ROOT="$(cd "$(dirname "$0")" && pwd)"
+MODULE_ROOT="${ROOT}/.."
+cd "$MODULE_ROOT"
+export MODULE_ROOT
+
+command -v sha256sum >/dev/null || { echo "sha256sum required" >&2; exit 1; }
+command -v python >/dev/null || { echo "python required" >&2; exit 1; }
 
 sha256sum --check SHA256SUMS
-if command -v cosign >/dev/null && [ -f cosign.pub ]; then
-  echo "cosign present; DSSE verification placeholders (update paths when signed):"
-  echo "- observer_event.schema.dsse"
-  echo "- webhook_admission.schema.dsse"
-  echo "- thresholds.dsse"
-  # Example commands (uncomment once DSSE files exist):
-  # cosign verify-blob --key cosign.pub --signature observer_event.schema.dsse schemas/observer_event.schema.json
-  # cosign verify-blob --key cosign.pub --signature webhook_admission.schema.dsse schemas/webhook_admission.schema.json
-  # cosign verify-blob --key cosign.pub --signature thresholds.dsse thresholds.yaml
-else
-  echo "cosign not found or cosign.pub missing; skipped DSSE verification"
-fi
 
-echo "OK: hashes verified (DSSE verification pending)"
+python - <<'PY'
+import base64, json, os, sys
+from pathlib import Path
+
+try:
+    from cryptography.hazmat.primitives.asymmetric import ed25519
+except Exception as exc:
+    raise SystemExit(f"cryptography package required for DSSE verification: {exc}")
+
+root = Path(os.environ['MODULE_ROOT']).resolve()
+pub_b64 = (root / "kit" / "ed25519.pub").read_text().strip()
+pub = base64.urlsafe_b64decode(pub_b64 + "==")
+verifier = ed25519.Ed25519PublicKey.from_public_bytes(pub)
+
+def pae(payload_type: bytes, payload: bytes) -> bytes:
+    parts = [b"DSSEv1", str(len(payload_type)).encode(), payload_type, str(len(payload)).encode(), payload]
+    return b" ".join(parts)
+
+def verify(name: str, payload_path: Path, envelope_path: Path, payload_type: str):
+    payload = payload_path.read_bytes()
+    envelope = json.loads(envelope_path.read_text())
+    if envelope.get("payloadType") != payload_type:
+        raise SystemExit(f"{name}: payloadType mismatch ({envelope.get('payloadType')} != {payload_type})")
+    if not envelope.get("signatures"):
+        raise SystemExit(f"{name}: missing signatures")
+    sig_entry = envelope["signatures"][0]
+    sig = base64.urlsafe_b64decode(sig_entry["sig"] + "==")
+    decoded_payload = base64.urlsafe_b64decode(envelope["payload"] + "==")
+    if decoded_payload != payload:
+        raise SystemExit(f"{name}: payload body mismatch vs envelope")
+    verifier.verify(sig, pae(payload_type.encode(), payload))
+    print(f"OK: {name}")
+
+targets = [
+    ("observer schema", root / "schemas" / "observer_event.schema.json", root / "schemas" / "observer_event.schema.json.dsse", "application/vnd.stellaops.zastava.schema+json;name=observer_event;version=1"),
+    ("webhook schema", root / "schemas" / "webhook_admission.schema.json", root / "schemas" / "webhook_admission.schema.json.dsse", "application/vnd.stellaops.zastava.schema+json;name=webhook_admission;version=1"),
+    ("thresholds", root / "thresholds.yaml", root / "thresholds.yaml.dsse", "application/vnd.stellaops.zastava.thresholds+yaml;version=1"),
+    ("observer exports", root / "exports" / "observer_events.ndjson", root / "exports" / "observer_events.ndjson.dsse", "application/vnd.stellaops.zastava.observer-events+ndjson;version=1"),
+    ("webhook exports", root / "exports" / "webhook_admissions.ndjson", root / "exports" / "webhook_admissions.ndjson.dsse", "application/vnd.stellaops.zastava.webhook-admissions+ndjson;version=1"),
+]
+
+for name, payload_path, envelope_path, ptype in targets:
+    verify(name, payload_path, envelope_path, ptype)
+PY
+
+echo "OK: SHA256 + DSSE signatures verified"

docs/modules/zastava/schemas/README.md

@@ -0,0 +1,19 @@
+# Zastava schemas (runtime & admission)
+
+## Canonicalisation & hashing
+- JSON is stored with sorted keys and two-space indentation; hashes use **JCS-style** encoding: `json.dumps(payload, separators=(',', ':'), sort_keys=True)`.
+- `payload_hash` fields in examples and exports are computed from the canonical payload bytes and formatted as `sha256:<hex>`.
+- Schema negotiation stays on the `zastava.*@v1.x` line; breaking changes bump the major version.
+
+## DSSE signing
+- Payload types:
+  - `application/vnd.stellaops.zastava.schema+json;name=observer_event;version=1`
+  - `application/vnd.stellaops.zastava.schema+json;name=webhook_admission;version=1`
+- Ed25519 public key (base64url, no padding): `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`.
+- Signatures are emitted as `<file>.dsse` with DSSEv1 pre-auth encoding over the raw file bytes.
+- Regenerate signatures with `docs/modules/zastava/kit/verify.sh` prerequisites (Python + cryptography) and the private key held offline.
+
+## Test vectors
+- Example payloads: `schemas/examples/*.json`.
+- Signed exports: `exports/observer_events.ndjson(.dsse)` and `exports/webhook_admissions.ndjson(.dsse)`.
+- Kit verification aggregates all signatures via `kit/verify.sh`.

docs/modules/zastava/schemas/examples/observer_event.example.json

@@ -1,19 +1,19 @@
 {
-  "tenant_id": "tenant-a",
-  "project_id": "proj-123",
-  "sensor_id": "observer-01",
+  "event_type": "runtime_fact",
   "firmware_version": "1.2.3",
-  "policy_hash": "sha256:deadbeef",
   "graph_revision_id": "graph-r1",
   "ledger_id": "ledger-789",
-  "replay_manifest": "manifest-r1",
-  "event_type": "runtime_fact",
-  "observed_at": "2025-12-02T00:00:00Z",
   "monotonic_nanos": 123456789,
+  "observed_at": "2025-12-02T00:00:00Z",
   "payload": {
-    "process": "nginx",
-    "pid": 4242
+    "pid": 4242,
+    "process": "nginx"
   },
-  "payload_hash": "sha256:payloadhash",
-  "signature": "dsse://observer-event"
+  "payload_hash": "sha256:7476a5068a3f0780c552f81c90d061d9e39c37f425a243ecff961b08676546fd",
+  "policy_hash": "sha256:deadbeef",
+  "project_id": "proj-123",
+  "replay_manifest": "manifest-r1",
+  "sensor_id": "observer-01",
+  "signature": "dsse://observer-events/2025-12-02/observer_events.ndjson.dsse#line1",
+  "tenant_id": "tenant-a"
 }

docs/modules/zastava/schemas/examples/webhook_admission.example.json

@@ -1,21 +1,34 @@
 {
-  "tenant_id": "tenant-a",
-  "project_id": "proj-123",
-  "request_uid": "abcd-1234",
-  "resource_kind": "Deployment",
-  "namespace": "prod",
-  "workload_name": "api",
-  "policy_hash": "sha256:deadbeef",
+  "bypass_waiver_id": null,
+  "decision": "allow",
+  "decision_at": "2025-12-02T00:00:00Z",
+  "decision_reason": "surface cache fresh",
   "graph_revision_id": "graph-r1",
   "ledger_id": "ledger-789",
-  "replay_manifest": "manifest-r1",
   "manifest_pointer": "surfacefs://cache/sha256:abc",
-  "decision": "allow",
-  "decision_reason": "surface cache fresh",
-  "decision_at": "2025-12-02T00:00:00Z",
   "monotonic_nanos": 2233445566,
+  "namespace": "prod",
+  "payload": {
+    "images": [
+      {
+        "digest": "sha256:abcd",
+        "name": "ghcr.io/acme/api:1.2.3",
+        "sbom_referrer": true,
+        "signed": true
+      }
+    ],
+    "manifest_pointer": "surfacefs://cache/sha256:abc",
+    "policy_hash": "sha256:deadbeef",
+    "verdict": "allow"
+  },
+  "payload_hash": "sha256:36bfb2bc81b7050bbb508e12cafe7ad5a51336aad397ef3a23b0e258aed73dc6",
+  "policy_hash": "sha256:deadbeef",
+  "project_id": "proj-123",
+  "replay_manifest": "manifest-r1",
+  "request_uid": "abcd-1234",
+  "resource_kind": "Deployment",
   "side_effect": "none",
-  "bypass_waiver_id": null,
-  "payload_hash": "sha256:payloadhash",
-  "signature": "dsse://webhook-admission"
+  "signature": "dsse://webhook-admissions/2025-12-02/webhook_admissions.ndjson.dsse#line1",
+  "tenant_id": "tenant-a",
+  "workload_name": "api"
 }

docs/modules/zastava/schemas/observer_event.schema.json

@@ -1,8 +1,67 @@
 {
   "$id": "https://stella-ops.org/schemas/zastava/observer_event.schema.json",
   "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "Zastava Observer Event",
-  "type": "object",
+  "properties": {
+    "event_type": {
+      "enum": [
+        "runtime_fact",
+        "drift",
+        "policy_violation",
+        "heartbeat"
+      ]
+    },
+    "firmware_version": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "graph_revision_id": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "ledger_id": {
+      "type": "string"
+    },
+    "monotonic_nanos": {
+      "type": "integer"
+    },
+    "observed_at": {
+      "format": "date-time",
+      "type": "string"
+    },
+    "payload": {
+      "description": "Canonical runtime payload (JCS) used for hashing.",
+      "type": "object"
+    },
+    "payload_hash": {
+      "description": "sha256 over canonical JSON (JCS) of payload",
+      "pattern": "^sha256:[0-9a-f]{64}$",
+      "type": "string"
+    },
+    "policy_hash": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "project_id": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "replay_manifest": {
+      "type": "string"
+    },
+    "sensor_id": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "signature": {
+      "description": "DSSE envelope reference",
+      "pattern": "^dsse://[A-Za-z0-9._:/-]+$",
+      "type": "string"
+    },
+    "tenant_id": {
+      "minLength": 1,
+      "type": "string"
+    }
+  },
   "required": [
     "tenant_id",
     "project_id",
@@ -12,23 +71,10 @@
     "graph_revision_id",
     "event_type",
     "observed_at",
+    "payload",
     "payload_hash",
-    "signature" 
+    "signature"
   ],
-  "properties": {
-    "tenant_id": { "type": "string" },
-    "project_id": { "type": "string" },
-    "sensor_id": { "type": "string" },
-    "firmware_version": { "type": "string" },
-    "policy_hash": { "type": "string" },
-    "graph_revision_id": { "type": "string" },
-    "ledger_id": { "type": "string" },
-    "replay_manifest": { "type": "string" },
-    "event_type": { "enum": ["runtime_fact", "drift", "policy_violation", "heartbeat"] },
-    "observed_at": { "type": "string", "format": "date-time" },
-    "monotonic_nanos": { "type": "integer" },
-    "payload": { "type": "object" },
-    "payload_hash": { "type": "string", "description": "sha256 over canonical JSON (JCS) of payload" },
-    "signature": { "type": "string", "description": "DSSE envelope reference" }
-  }
+  "title": "Zastava Observer Event",
+  "type": "object"
 }

docs/modules/zastava/schemas/observer_event.schema.json.dsse

@@ -0,0 +1,10 @@
+{
+  "payload": "ewogICIkaWQiOiAiaHR0cHM6Ly9zdGVsbGEtb3BzLm9yZy9zY2hlbWFzL3phc3RhdmEvb2JzZXJ2ZXJfZXZlbnQuc2NoZW1hLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInByb3BlcnRpZXMiOiB7CiAgICAiZXZlbnRfdHlwZSI6IHsKICAgICAgImVudW0iOiBbCiAgICAgICAgInJ1bnRpbWVfZmFjdCIsCiAgICAgICAgImRyaWZ0IiwKICAgICAgICAicG9saWN5X3Zpb2xhdGlvbiIsCiAgICAgICAgImhlYXJ0YmVhdCIKICAgICAgXQogICAgfSwKICAgICJmaXJtd2FyZV92ZXJzaW9uIjogewogICAgICAibWluTGVuZ3RoIjogMSwKICAgICAgInR5cGUiOiAic3RyaW5nIgogICAgfSwKICAgICJncmFwaF9yZXZpc2lvbl9pZCI6IHsKICAgICAgIm1pbkxlbmd0aCI6IDEsCiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0sCiAgICAibGVkZ2VyX2lkIjogewogICAgICAidHlwZSI6ICJzdHJpbmciCiAgICB9LAogICAgIm1vbm90b25pY19uYW5vcyI6IHsKICAgICAgInR5cGUiOiAiaW50ZWdlciIKICAgIH0sCiAgICAib2JzZXJ2ZWRfYXQiOiB7CiAgICAgICJmb3JtYXQiOiAiZGF0ZS10aW1lIiwKICAgICAgInR5cGUiOiAic3RyaW5nIgogICAgfSwKICAgICJwYXlsb2FkIjogewogICAgICAiZGVzY3JpcHRpb24iOiAiQ2Fub25pY2FsIHJ1bnRpbWUgcGF5bG9hZCAoSkNTKSB1c2VkIGZvciBoYXNoaW5nLiIsCiAgICAgICJ0eXBlIjogIm9iamVjdCIKICAgIH0sCiAgICAicGF5bG9hZF9oYXNoIjogewogICAgICAiZGVzY3JpcHRpb24iOiAic2hhMjU2IG92ZXIgY2Fub25pY2FsIEpTT04gKEpDUykgb2YgcGF5bG9hZCIsCiAgICAgICJwYXR0ZXJuIjogIl5zaGEyNTY6WzAtOWEtZl17NjR9JCIsCiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0sCiAgICAicG9saWN5X2hhc2giOiB7CiAgICAgICJtaW5MZW5ndGgiOiAxLAogICAgICAidHlwZSI6ICJzdHJpbmciCiAgICB9LAogICAgInByb2plY3RfaWQiOiB7CiAgICAgICJtaW5MZW5ndGgiOiAxLAogICAgICAidHlwZSI6ICJzdHJpbmciCiAgICB9LAogICAgInJlcGxheV9tYW5pZmVzdCI6IHsKICAgICAgInR5cGUiOiAic3RyaW5nIgogICAgfSwKICAgICJzZW5zb3JfaWQiOiB7CiAgICAgICJtaW5MZW5ndGgiOiAxLAogICAgICAidHlwZSI6ICJzdHJpbmciCiAgICB9LAogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImRlc2NyaXB0aW9uIjogIkRTU0UgZW52ZWxvcGUgcmVmZXJlbmNlIiwKICAgICAgInBhdHRlcm4iOiAiXmRzc2U6Ly9bQS1aYS16MC05Ll86Ly1dKyQiLAogICAgICAidHlwZSI6ICJzdHJpbmciCiAgICB9LAogICAgInRlbmFudF9pZCI6IHsKICAgICAgIm1pbkxlbmd0aCI6IDEsCiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0KICB9LAogICJyZXF1aXJlZCI6IFsKICAgICJ0ZW5hbnRfaWQiLAogICAgInByb2plY3RfaWQiLAogICAgInNlbnNvcl9pZCIsCiAgICAiZmlybXdhcmVfdmVyc2lvbiIsCiAgICAicG9saWN5X2hhc2giLAogICAgImdyYXBoX3JldmlzaW9uX2lkIiwKICAgICJldmVudF90eXBlIiwKICAgICJvYnNlcnZlZF9hdCIsCiAgICAicGF5bG9hZCIsCiAgICAicGF5bG9hZF9oYXNoIiwKICAgICJzaWduYXR1cmUiCiAgXSwKICAidGl0bGUiOiAiWmFzdGF2YSBPYnNlcnZlciBFdmVudCIsCiAgInR5cGUiOiAib2JqZWN0Igp9Cg",
+  "payloadType": "application/vnd.stellaops.zastava.schema+json;name=observer_event;version=1",
+  "signatures": [
+    {
+      "keyid": "mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc",
+      "sig": "axmdd1ucHyZyJMAyLzWmpuai7VrS20QenSDQyXRKlmtsAF4Zl4Ke_cHy8konBStBCoJgGA3SM2236QgAbkQMBw"
+    }
+  ]
+}

docs/modules/zastava/schemas/webhook_admission.schema.json

@@ -1,8 +1,91 @@
 {
   "$id": "https://stella-ops.org/schemas/zastava/webhook_admission.schema.json",
   "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "Zastava Webhook Admission",
-  "type": "object",
+  "properties": {
+    "bypass_waiver_id": {
+      "type": "string"
+    },
+    "decision": {
+      "enum": [
+        "allow",
+        "deny",
+        "dry-run"
+      ]
+    },
+    "decision_at": {
+      "format": "date-time",
+      "type": "string"
+    },
+    "decision_reason": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "graph_revision_id": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "ledger_id": {
+      "type": "string"
+    },
+    "manifest_pointer": {
+      "description": "Surface.FS manifest pointer",
+      "type": "string"
+    },
+    "monotonic_nanos": {
+      "type": "integer"
+    },
+    "namespace": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "payload": {
+      "description": "AdmissionReview payload (canonical JSON) hashed via payload_hash",
+      "type": "object"
+    },
+    "payload_hash": {
+      "pattern": "^sha256:[0-9a-f]{64}$",
+      "type": "string"
+    },
+    "policy_hash": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "project_id": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "replay_manifest": {
+      "type": "string"
+    },
+    "request_uid": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "resource_kind": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "side_effect": {
+      "enum": [
+        "none",
+        "mutating",
+        "bypass"
+      ]
+    },
+    "signature": {
+      "description": "DSSE envelope reference",
+      "pattern": "^dsse://[A-Za-z0-9._:/-]+$",
+      "type": "string"
+    },
+    "tenant_id": {
+      "minLength": 1,
+      "type": "string"
+    },
+    "workload_name": {
+      "minLength": 1,
+      "type": "string"
+    }
+  },
   "required": [
     "tenant_id",
     "project_id",
@@ -16,27 +99,10 @@
     "decision_reason",
     "decision_at",
     "manifest_pointer",
+    "payload",
+    "payload_hash",
     "signature"
   ],
-  "properties": {
-    "tenant_id": { "type": "string" },
-    "project_id": { "type": "string" },
-    "request_uid": { "type": "string" },
-    "resource_kind": { "type": "string" },
-    "namespace": { "type": "string" },
-    "workload_name": { "type": "string" },
-    "policy_hash": { "type": "string" },
-    "graph_revision_id": { "type": "string" },
-    "ledger_id": { "type": "string" },
-    "replay_manifest": { "type": "string" },
-    "manifest_pointer": { "type": "string", "description": "Surface.FS manifest pointer" },
-    "decision": { "enum": ["allow", "deny", "dry-run"] },
-    "decision_reason": { "type": "string" },
-    "decision_at": { "type": "string", "format": "date-time" },
-    "monotonic_nanos": { "type": "integer" },
-    "side_effect": { "enum": ["none", "mutating", "bypass"] },
-    "bypass_waiver_id": { "type": "string" },
-    "payload_hash": { "type": "string" },
-    "signature": { "type": "string", "description": "DSSE envelope reference" }
-  }
+  "title": "Zastava Webhook Admission",
+  "type": "object"
 }

docs/modules/zastava/schemas/webhook_admission.schema.json.dsse

@@ -0,0 +1,10 @@
+{
+  "payload": "ewogICIkaWQiOiAiaHR0cHM6Ly9zdGVsbGEtb3BzLm9yZy9zY2hlbWFzL3phc3RhdmEvd2ViaG9va19hZG1pc3Npb24uc2NoZW1hLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInByb3BlcnRpZXMiOiB7CiAgICAiYnlwYXNzX3dhaXZlcl9pZCI6IHsKICAgICAgInR5cGUiOiAic3RyaW5nIgogICAgfSwKICAgICJkZWNpc2lvbiI6IHsKICAgICAgImVudW0iOiBbCiAgICAgICAgImFsbG93IiwKICAgICAgICAiZGVueSIsCiAgICAgICAgImRyeS1ydW4iCiAgICAgIF0KICAgIH0sCiAgICAiZGVjaXNpb25fYXQiOiB7CiAgICAgICJmb3JtYXQiOiAiZGF0ZS10aW1lIiwKICAgICAgInR5cGUiOiAic3RyaW5nIgogICAgfSwKICAgICJkZWNpc2lvbl9yZWFzb24iOiB7CiAgICAgICJtaW5MZW5ndGgiOiAxLAogICAgICAidHlwZSI6ICJzdHJpbmciCiAgICB9LAogICAgImdyYXBoX3JldmlzaW9uX2lkIjogewogICAgICAibWluTGVuZ3RoIjogMSwKICAgICAgInR5cGUiOiAic3RyaW5nIgogICAgfSwKICAgICJsZWRnZXJfaWQiOiB7CiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0sCiAgICAibWFuaWZlc3RfcG9pbnRlciI6IHsKICAgICAgImRlc2NyaXB0aW9uIjogIlN1cmZhY2UuRlMgbWFuaWZlc3QgcG9pbnRlciIsCiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0sCiAgICAibW9ub3RvbmljX25hbm9zIjogewogICAgICAidHlwZSI6ICJpbnRlZ2VyIgogICAgfSwKICAgICJuYW1lc3BhY2UiOiB7CiAgICAgICJtaW5MZW5ndGgiOiAxLAogICAgICAidHlwZSI6ICJzdHJpbmciCiAgICB9LAogICAgInBheWxvYWQiOiB7CiAgICAgICJkZXNjcmlwdGlvbiI6ICJBZG1pc3Npb25SZXZpZXcgcGF5bG9hZCAoY2Fub25pY2FsIEpTT04pIGhhc2hlZCB2aWEgcGF5bG9hZF9oYXNoIiwKICAgICAgInR5cGUiOiAib2JqZWN0IgogICAgfSwKICAgICJwYXlsb2FkX2hhc2giOiB7CiAgICAgICJwYXR0ZXJuIjogIl5zaGEyNTY6WzAtOWEtZl17NjR9JCIsCiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0sCiAgICAicG9saWN5X2hhc2giOiB7CiAgICAgICJtaW5MZW5ndGgiOiAxLAogICAgICAidHlwZSI6ICJzdHJpbmciCiAgICB9LAogICAgInByb2plY3RfaWQiOiB7CiAgICAgICJtaW5MZW5ndGgiOiAxLAogICAgICAidHlwZSI6ICJzdHJpbmciCiAgICB9LAogICAgInJlcGxheV9tYW5pZmVzdCI6IHsKICAgICAgInR5cGUiOiAic3RyaW5nIgogICAgfSwKICAgICJyZXF1ZXN0X3VpZCI6IHsKICAgICAgIm1pbkxlbmd0aCI6IDEsCiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0sCiAgICAicmVzb3VyY2Vfa2luZCI6IHsKICAgICAgIm1pbkxlbmd0aCI6IDEsCiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0sCiAgICAic2lkZV9lZmZlY3QiOiB7CiAgICAgICJlbnVtIjogWwogICAgICAgICJub25lIiwKICAgICAgICAibXV0YXRpbmciLAogICAgICAgICJieXBhc3MiCiAgICAgIF0KICAgIH0sCiAgICAic2lnbmF0dXJlIjogewogICAgICAiZGVzY3JpcHRpb24iOiAiRFNTRSBlbnZlbG9wZSByZWZlcmVuY2UiLAogICAgICAicGF0dGVybiI6ICJeZHNzZTovL1tBLVphLXowLTkuXzovLV0rJCIsCiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0sCiAgICAidGVuYW50X2lkIjogewogICAgICAibWluTGVuZ3RoIjogMSwKICAgICAgInR5cGUiOiAic3RyaW5nIgogICAgfSwKICAgICJ3b3JrbG9hZF9uYW1lIjogewogICAgICAibWluTGVuZ3RoIjogMSwKICAgICAgInR5cGUiOiAic3RyaW5nIgogICAgfQogIH0sCiAgInJlcXVpcmVkIjogWwogICAgInRlbmFudF9pZCIsCiAgICAicHJvamVjdF9pZCIsCiAgICAicmVxdWVzdF91aWQiLAogICAgInJlc291cmNlX2tpbmQiLAogICAgIm5hbWVzcGFjZSIsCiAgICAid29ya2xvYWRfbmFtZSIsCiAgICAicG9saWN5X2hhc2giLAogICAgImdyYXBoX3JldmlzaW9uX2lkIiwKICAgICJkZWNpc2lvbiIsCiAgICAiZGVjaXNpb25fcmVhc29uIiwKICAgICJkZWNpc2lvbl9hdCIsCiAgICAibWFuaWZlc3RfcG9pbnRlciIsCiAgICAicGF5bG9hZCIsCiAgICAicGF5bG9hZF9oYXNoIiwKICAgICJzaWduYXR1cmUiCiAgXSwKICAidGl0bGUiOiAiWmFzdGF2YSBXZWJob29rIEFkbWlzc2lvbiIsCiAgInR5cGUiOiAib2JqZWN0Igp9Cg",
+  "payloadType": "application/vnd.stellaops.zastava.schema+json;name=webhook_admission;version=1",
+  "signatures": [
+    {
+      "keyid": "mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc",
+      "sig": "Vk0mACAjBtUuVn_S2M5HU81zMbH8wDCQYOHVsft7cmxl0JbDrSIA9z3xlTI5JiT7DYOGsDUc96dlC1njldN4Aw"
+    }
+  ]
+}

docs/modules/zastava/thresholds.yaml.dsse

@@ -0,0 +1,10 @@
+{
+  "payload": "dmVyc2lvbjogMQp1cGRhdGVkX2F0OiAyMDI1LTEyLTAyVDAwOjAwOjAwWgpidWRnZXRzOgogIGxhdGVuY3lfbXNfcDk1OiAyNTAKICBlcnJvcl9yYXRlOiAwLjAxCiAgZHJvcF9yYXRlOiAwLjAwNQpidXJuX3JhdGVzOgogIGFkbWlzc2lvbl9kZW5pZXNfcGVyX21pbjogNQogIG9ic2VydmVyX2RyaWZ0c19wZXJfaG91cjogMgogIGhlYXJ0YmVhdF9taXNzX21pbnV0ZXM6IDMKYWxlcnRzOgogIHRocmVzaG9sZF9jaGFuZ2U6IHRydWUKICBidXJuX3JhdGVfZXhjZWVkZWQ6IHRydWUKICBraWxsX3N3aXRjaF90cmlnZ2VyZWQ6IHRydWUKc2lnbmluZzoKICBwcmVkaWNhdGU6IHN0ZWxsYS5vcHMvemFzdGF2YVRocmVzaG9sZHNAdjEKICBkc3NlX3JlcXVpcmVkOiB0cnVlCg",
+  "payloadType": "application/vnd.stellaops.zastava.thresholds+yaml;version=1",
+  "signatures": [
+    {
+      "keyid": "mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc",
+      "sig": "uQFBmx7vF4fj8uQsCiCN6VbxNS2m3XM-vJNFrj3rexL1PPzHH6IVtWRGexF7CsLrrpUV8U0AmS02S37vOk3zDA"
+    }
+  ]
+}