feat: Add guild charters and task boards for various components
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
This commit is contained in:
30
src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md
Normal file
30
src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md
Normal file
@@ -0,0 +1,30 @@
|
||||
# Zastava Webhook Guild Charter
|
||||
|
||||
## Mission
|
||||
Operate the Kubernetes admission webhook enforcing image/SBOM/attestation policies using data from Scanner, Policy Engine, and Surface caches. The webhook must provide deterministic verdicts, integrate with Surface libraries, and remain offline/air-gap compatible.
|
||||
|
||||
## Scope
|
||||
- Admission controller code under `StellaOps.Zastava.Webhook`.
|
||||
- Request validation, response generation, and audit logging.
|
||||
- Integration with Surface.FS/Env/Secrets/Validation and Authority scopes.
|
||||
- Helm/Compose configuration samples and compatibility with sealed environments.
|
||||
|
||||
## Required Reading
|
||||
- `docs/modules/zastava/architecture.md`
|
||||
- `docs/modules/scanner/design/surface-fs.md`
|
||||
- `docs/modules/scanner/design/surface-env.md`
|
||||
- `docs/modules/scanner/design/surface-secrets.md`
|
||||
- `docs/modules/scanner/design/surface-validation.md`
|
||||
- `docs/modules/scanner/architecture.md` (runtime posture/admission sections)
|
||||
- `docs/modules/policy/architecture.md`
|
||||
- `docs/modules/airgap/airgap-mode.md`
|
||||
- `docs/modules/devops/runbooks/zastava-deployment.md`
|
||||
|
||||
## Working Agreement
|
||||
1. **Task state**: update `docs/implplan/SPRINTS.md` and local `TASKS.md` to `DOING`/`DONE` as you start or complete work.
|
||||
2. **Surface usage**: fetch cache manifests via Surface.FS, configuration via Surface.Env, secrets via Surface.Secrets; run validators before enforcing policies.
|
||||
3. **Deterministic verdicts**: avoid non-deterministic data in admission responses; include explain traces referencing evidence IDs.
|
||||
4. **Security**: enforce mTLS, Authority OpTok scopes, and tenant context; audit all allow/deny decisions.
|
||||
5. **Offline posture**: operate without external egress; surface actionable errors when cache/attestation data is missing.
|
||||
6. **Testing**: maintain unit/e2e tests (Kubernetes admission harness) covering pass/fail paths, error handling, and performance budgets.
|
||||
7. **Documentation**: update deployment guides, operator runbooks, and onboarding docs when webhook behaviour or configuration changes.
|
||||
Reference in New Issue
Block a user