feat: Add VEX Lens CI and Load Testing Plan

- Introduced a comprehensive CI job structure for VEX Lens, including build, test, linting, and load testing.
- Defined load test parameters and SLOs for VEX Lens API and Issuer Directory.
- Created Grafana dashboards and alerting mechanisms for monitoring API performance and error rates.
- Established offline posture guidelines for CI jobs and load testing.

feat: Implement deterministic projection verification script

- Added `verify_projection.sh` script for verifying the integrity of projection exports against expected hashes.
- Ensured robust error handling for missing files and hash mismatches.

feat: Develop Vuln Explorer CI and Ops Plan

- Created CI jobs for Vuln Explorer, including build, test, and replay verification.
- Implemented backup and disaster recovery strategies for MongoDB and Redis.
- Established Merkle anchoring verification and automation for ledger projector.

feat: Introduce EventEnvelopeHasher for hashing event envelopes

- Implemented `EventEnvelopeHasher` to compute SHA256 hashes for event envelopes.

feat: Add Risk Store and Dashboard components

- Developed `RiskStore` for managing risk data and state.
- Created `RiskDashboardComponent` for displaying risk profiles with filtering capabilities.
- Implemented unit tests for `RiskStore` and `RiskDashboardComponent`.

feat: Enhance Vulnerability Detail Component

- Developed `VulnerabilityDetailComponent` for displaying detailed information about vulnerabilities.
- Implemented error handling for missing vulnerability IDs and loading failures.

deploy/README.md

@@ -27,10 +27,11 @@ Maintaining the digest linkage keeps offline/air-gapped installs reproducible an
 
 ### Surface.Env rollout warnings
 
-- Compose (`deploy/compose/env/*.env.example`) and Helm (`deploy/helm/stellaops/values-*.yaml`) now seed `SCANNER_SURFACE_*` variables so the worker and web service resolve cache roots, Surface.FS endpoints, and secrets providers through `StellaOps.Scanner.Surface.Env`.
+- Compose (`deploy/compose/env/*.env.example`) and Helm (`deploy/helm/stellaops/values-*.yaml`) now seed `SCANNER_SURFACE_*` _and_ `ZASTAVA_SURFACE_*` variables so Scanner Worker/WebService and Zastava Observer/Webhook resolve cache roots, Surface.FS endpoints, and secrets providers through `StellaOps.Scanner.Surface.Env`.
 - During rollout, watch for structured log messages (and readiness output) prefixed with `surface.env.`—for example, `surface.env.cache_root_missing`, `surface.env.endpoint_unreachable`, or `surface.env.secrets_provider_invalid`.
 - Treat these warnings as deployment blockers: update the endpoint/cache/secrets values or permissions before promoting the environment, otherwise workers will fail fast at startup.
 - Air-gapped bundles default the secrets provider to `file` with `/etc/stellaops/secrets`; connected clusters default to `kubernetes`. Adjust the provider/root pair if your secrets manager differs.
+- Secret provisioning workflows for Kubernetes/Compose/Offline Kit are documented in `ops/devops/secrets/surface-secrets-provisioning.md`; follow that for `Surface.Secrets` handles and RBAC/permissions.
 
 ### Mongo2Go OpenSSL prerequisites
 

deploy/compose/env/airgap.env.example

@@ -29,6 +29,9 @@ SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
 SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
 SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080/api/v1
 SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
+# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
+ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
+ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
 SCANNER_SURFACE_SECRETS_PROVIDER=file
 SCANNER_SURFACE_SECRETS_ROOT=/etc/stellaops/secrets
 SCHEDULER_QUEUE_KIND=Nats

deploy/compose/env/dev.env.example

@@ -31,6 +31,11 @@ SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080/api/v1
 SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
 SCANNER_SURFACE_SECRETS_PROVIDER=inline
 SCANNER_SURFACE_SECRETS_ROOT=
+# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
+ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
+ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
+ZASTAVA_SURFACE_SECRETS_PROVIDER=${SCANNER_SURFACE_SECRETS_PROVIDER}
+ZASTAVA_SURFACE_SECRETS_ROOT=${SCANNER_SURFACE_SECRETS_ROOT}
 SCHEDULER_QUEUE_KIND=Nats
 SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
 SCHEDULER_STORAGE_DATABASE=stellaops_scheduler

deploy/compose/env/prod.env.example

@@ -31,6 +31,9 @@ SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
 SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
 SCANNER_SURFACE_FS_ENDPOINT=https://surfacefs.prod.stella-ops.org/api/v1
 SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
+# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
+ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
+ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
 SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
 SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
 SCHEDULER_QUEUE_KIND=Nats

deploy/compose/env/stage.env.example

@@ -28,6 +28,9 @@ SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
 SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
 SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080/api/v1
 SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
+# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
+ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
+ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
 SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
 SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
 SCHEDULER_QUEUE_KIND=Nats

deploy/helm/stellaops/values.yaml

@@ -97,6 +97,22 @@ configMaps:
       SCANNER_SURFACE_SECRETS_ROOT: "{{ .Values.surface.secrets.root }}"
       SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "{{ .Values.surface.secrets.fallbackProvider }}"
       SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "{{ .Values.surface.secrets.allowInline }}"
+      # Zastava consumers inherit Scanner defaults but can be overridden via ZASTAVA_* envs
+      ZASTAVA_SURFACE_FS_ENDPOINT: "{{ .Values.surface.fs.endpoint }}"
+      ZASTAVA_SURFACE_FS_BUCKET: "{{ .Values.surface.fs.bucket }}"
+      ZASTAVA_SURFACE_FS_REGION: "{{ .Values.surface.fs.region }}"
+      ZASTAVA_SURFACE_CACHE_ROOT: "{{ .Values.surface.cache.root }}"
+      ZASTAVA_SURFACE_CACHE_QUOTA_MB: "{{ .Values.surface.cache.quotaMb }}"
+      ZASTAVA_SURFACE_PREFETCH_ENABLED: "{{ .Values.surface.cache.prefetchEnabled }}"
+      ZASTAVA_SURFACE_TENANT: "{{ .Values.surface.tenant }}"
+      ZASTAVA_SURFACE_FEATURES: "{{ .Values.surface.features }}"
+      ZASTAVA_SURFACE_TLS_CERT_PATH: "{{ .Values.surface.tls.certPath }}"
+      ZASTAVA_SURFACE_TLS_KEY_PATH: "{{ .Values.surface.tls.keyPath }}"
+      ZASTAVA_SURFACE_SECRETS_PROVIDER: "{{ .Values.surface.secrets.provider }}"
+      ZASTAVA_SURFACE_SECRETS_NAMESPACE: "{{ .Values.surface.secrets.namespace }}"
+      ZASTAVA_SURFACE_SECRETS_ROOT: "{{ .Values.surface.secrets.root }}"
+      ZASTAVA_SURFACE_SECRETS_FALLBACK_PROVIDER: "{{ .Values.surface.secrets.fallbackProvider }}"
+      ZASTAVA_SURFACE_SECRETS_ALLOW_INLINE: "{{ .Values.surface.secrets.allowInline }}"
 
   issuer-directory-config:
     data: