feat: Add VEX Lens CI and Load Testing Plan

- Introduced a comprehensive CI job structure for VEX Lens, including build, test, linting, and load testing. - Defined load test parameters and SLOs for VEX Lens API and Issuer Directory. - Created Grafana dashboards and alerting mechanisms for monitoring API performance and error rates. - Established offline posture guidelines for CI jobs and load testing. feat: Implement deterministic projection verification script - Added `verify_projection.sh` script for verifying the integrity of projection exports against expected hashes. - Ensured robust error handling for missing files and hash mismatches. feat: Develop Vuln Explorer CI and Ops Plan - Created CI jobs for Vuln Explorer, including build, test, and replay verification. - Implemented backup and disaster recovery strategies for MongoDB and Redis. - Established Merkle anchoring verification and automation for ledger projector. feat: Introduce EventEnvelopeHasher for hashing event envelopes - Implemented `EventEnvelopeHasher` to compute SHA256 hashes for event envelopes. feat: Add Risk Store and Dashboard components - Developed `RiskStore` for managing risk data and state. - Created `RiskDashboardComponent` for displaying risk profiles with filtering capabilities. - Implemented unit tests for `RiskStore` and `RiskDashboardComponent`. feat: Enhance Vulnerability Detail Component - Developed `VulnerabilityDetailComponent` for displaying detailed information about vulnerabilities. - Implemented error handling for missing vulnerability IDs and loading failures.
2025-12-02 07:18:28 +02:00
parent 44171930ff
commit 885ce86af4
83 changed files with 2090 additions and 97 deletions
--- a/docs/modules/signals/evidence/README.md
+++ b/docs/modules/signals/evidence/README.md
@@ -0,0 +1,35 @@
+# Signals DSSE Evidence Staging (runtime/signals gaps)
+
+Artifacts prepared 2025-12-01 (UTC) for DSSE signing and Evidence Locker ingest:
+
+- Decay config: `docs/modules/signals/decay/confidence_decay_config.yaml`
+- Unknowns scoring manifest: `docs/modules/signals/unknowns/unknowns_scoring_manifest.json`
+- Heuristic catalog + schema + fixtures: `docs/modules/signals/heuristics/`
+- Checksums: `docs/modules/signals/SHA256SUMS`
+
+Planned Evidence Locker paths (to fill post-signing):
+- `evidence-locker/signals/decay/2025-12-01/confidence_decay_config.dsse`
+- `evidence-locker/signals/unknowns/2025-12-01/unknowns_scoring_manifest.dsse`
+- `evidence-locker/signals/heuristics/2025-12-01/heuristics_catalog.dsse`
+- `evidence-locker/signals/heuristics/2025-12-01/fixtures/` (golden inputs/outputs)
+
+Pending steps:
+1) Sign each artifact with its predicate:
+   - `stella.ops/confidenceDecayConfig@v1`
+   - `stella.ops/unknownsScoringManifest@v1`
+   - `stella.ops/heuristicCatalog@v1`
+   Example (replace KEY):
+   ```bash
+   cosign sign-blob \
+     --key cosign.key \
+     --predicate-type stella.ops/confidenceDecayConfig@v1 \
+     --output-signature confidence_decay_config.dsse \
+     decay/confidence_decay_config.yaml
+   ```
+2) Attach SHA256 from `SHA256SUMS` in DSSE headers/annotations.
+3) Place signed envelopes + checksums in the Evidence Locker paths above; update sprint tracker Delivery Tracker rows 5–7 and Decisions & Risks with the final URIs.
+4) Add signer/approver IDs to the sprint Execution Log once signatures are complete.
+
+Notes:
+- Use UTC timestamps in DSSE `issuedAt`.
+- Ensure offline parity by copying envelopes + SHA256SUMS into the offline kit bundle when ready.
--- a/docs/modules/zastava/SHA256SUMS
+++ b/docs/modules/zastava/SHA256SUMS
@@ -0,0 +1,5 @@
+e65d4b68c9bdaa569c6d4c5a9b0a8bc1dc41876f948983011ff6f9d3466565d0  schemas/observer_event.schema.json
+f466bf2b399f065558867eaf3c961cff8803f4a1506bae5539c9ce62e9ab005d  schemas/webhook_admission.schema.json
+40fabd4d7bc75c35ae063b2e931e79838c79b447528440456f5f4846951ff59d  thresholds.yaml
+652fce7d7b622ae762c8fb65a1e592bec14b124c3273312f93a63d2c29a2b989  kit/verify.sh
+f3f84fbe780115608268a91a5203d2d3ada50b4317e7641d88430a692e61e1f4  kit/README.md
--- a/docs/modules/zastava/TASKS.md
+++ b/docs/modules/zastava/TASKS.md
@@ -5,5 +5,8 @@
 | ZASTAVA-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture refreshed; Surface Env/Secrets and sprint links added. |
 | ZASTAVA-ENG-0001 | DONE (2025-11-30) | Module Team | TASKS board created; statuses mirrored with `docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.md`. |
 | ZASTAVA-OPS-0001 | DONE (2025-11-30) | Ops Guild | Observability runbook stub + Grafana JSON placeholder added under `operations/`. |
+| ZASTAVA-SCHEMAS-0001 | TODO | Zastava Guild | Publish signed observer/admission schemas + test vectors under `docs/modules/zastava/schemas/`; DSSE + SHA256 required. |
+| ZASTAVA-KIT-0001 | TODO | Zastava Guild | Build signed `zastava-kit` bundle with thresholds.yaml, schemas, observations/admissions export, SHA256SUMS, and verify.sh; ensure offline parity. |
+| ZASTAVA-GAPS-144-007 | DONE (2025-12-02) | Zastava Guild | Remediation plan for ZR1–ZR10 published at `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md`; follow-on schemas/kit/thresholds to be produced and signed. |

 > Keep this table in lockstep with the sprint Delivery Tracker (TODO/DOING/DONE/BLOCKED updates go to both places).
--- a/docs/modules/zastava/gaps/2025-12-02-zr-gaps.md
+++ b/docs/modules/zastava/gaps/2025-12-02-zr-gaps.md
@@ -0,0 +1,49 @@
+# Zastava Runtime Signals Gaps (ZR1–ZR10)
+
+**Source:** `docs/product-advisories/31-Nov-2025 FINDINGS.md`
+**Compiled:** 2025-12-02 (UTC)
+**Scope:** Close ZR1–ZR10 for Observer + Webhook (Surface.Env/Secrets/FS) with offline parity and auditability.
+
+## Gap remediation summary
+- **ZR1 · Canonical schemas & hashing**
+  - Publish signed JSON Schemas for Observer emission and Webhook admission envelopes under `docs/modules/zastava/schemas/`.
+  - Enforce JCS canonical JSON; compute `sha256` over canonical form; include test vectors.
+  - Validators reject non-canonical payloads; DSSE required on bundles.
+- **ZR2 · Tenant isolation & scope binding**
+  - Require `tenant_id` and `project_id` on all Observer/Webhook requests; fail closed on missing/ambiguous values.
+  - Add tenancy annotations to DSSE envelopes and enforce tenancy in admission allowlist.
+  - Add cross-tenant negative tests.
+- **ZR3 · Determinism & time source**
+  - Use monotonic clock + UTC; standardize ordering: `tenant -> namespace -> workload -> digest`.
+  - Add multi-run hash CI to ensure stable serialization.
+- **ZR4 · Provenance & signer identity**
+  - Require DSSE envelopes with fields: `sensor_id`, `firmware_version`, `policy_hash`, `graph_revision_id`, `signer_key_id`.
+  - Reject unsigned/unknown signer; log provenance to CAS.
+- **ZR5 · Admission side-effects & escape hatches**
+  - Side-effect allowlist documented; deny non-listed hooks.
+  - Bypass/debug require dual approval and DSSE waiver with expiry; log and alert on use.
+- **ZR6 · Offline/air-gap parity**
+  - Provide `zastava-kit` bundle (admissions + observations + schemas + DSSE + hashes) with deterministic tar flags (`--mtime @0 --owner 0 --group 0 --numeric-owner | zstd -19 --long=27`).
+  - Include `verify.sh` for hash/signature/tenant checks; no network dependencies.
+- **ZR7 · Replay/audit linkage**
+  - Embed `ledger_id` and `replay_manifest` refs in events/admissions; store in CAS.
+  - Export linkage in offline kit and Evidence Locker.
+- **ZR8 · Thresholds, burn-rate & anomaly policy**
+  - Versioned `thresholds.yaml` with DSSE signatures; change log required.
+  - Alerts on threshold change; publish budgets (latency, error rate, drop rate).
+- **ZR9 · PII/redaction & log hygiene**
+  - Redaction allowlist + size limits; CI + ingest PII/secret scan.
+  - Truncate with omission counts; include `redaction_manifest` in DSSE annotations.
+- **ZR10 · Health, kill-switch & fallback**
+  - Fault counter + kill-switch with DSSE-signed disable record.
+  - Configurable fail-open/closed (default fail-closed for admission); manual re-enable requires DSSE record.
+
+## Artefacts created
+- This remediation plan: `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md` (to be cross-linked from sprint 0144 and TASKS).
+- Delivery paths for schemas/thresholds/kit will be added when produced; DSSE signatures required for all artefacts.
+
+## Next steps
+1) Generate schemas + test vectors and place under `docs/modules/zastava/schemas/`; sign DSSE.
+2) Draft `thresholds.yaml` with budgets and sign DSSE.
+3) Build `zastava-kit` bundle + `verify.sh`; include Evidence Locker path and SHA256.
+4) Add tenancy/ordering/provenance enforcement to Observer/Webhook validators and tests; mirror changes in sprint and TASKS boards.
--- a/docs/modules/zastava/kit/README.md
+++ b/docs/modules/zastava/kit/README.md
@@ -0,0 +1,12 @@
+# Zastava Kit (offline bundle) – Draft
+
+Contents to include when built:
+- Observations and admissions exports (NDJSON) signed via DSSE.
+- Schemas: `schemas/observer_event.schema.json`, `schemas/webhook_admission.schema.json`.
+- Thresholds: `thresholds.yaml` (DSSE-signed).
+- Hash manifest: `SHA256SUMS` (covering all kit files).
+- Verify script: `verify.sh` (hash + DSSE verification; fail closed on mismatch).
+
+Deterministic packaging: `tar --mtime @0 --owner 0 --group 0 --numeric-owner -cf - kit | zstd -19 --long=27 --no-progress > zastava-kit.tzst`.
+
+Pending: fill with signed artefacts and Evidence Locker URIs after DSSE signing.
--- a/docs/modules/zastava/kit/verify.sh
+++ b/docs/modules/zastava/kit/verify.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+ROOT="$(cd "$(dirname "$0")" && pwd)"
+cd "$ROOT"
+
+if ! command -v sha256sum >/dev/null; then
+  echo "sha256sum required" >&2; exit 1
+fi
+
+sha256sum --check SHA256SUMS
+# TODO: add DSSE verification once signatures are available; placeholder below
+# cosign verify-blob --key cosign.pub --signature observer_event.schema.json.sig observer_event.schema.json
+
+echo "OK: hashes verified (DSSE verification pending)"
--- a/docs/modules/zastava/schemas/observer_event.schema.json
+++ b/docs/modules/zastava/schemas/observer_event.schema.json
@@ -0,0 +1,34 @@
+{
+  "$id": "https://stella-ops.org/schemas/zastava/observer_event.schema.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Zastava Observer Event",
+  "type": "object",
+  "required": [
+    "tenant_id",
+    "project_id",
+    "sensor_id",
+    "firmware_version",
+    "policy_hash",
+    "graph_revision_id",
+    "event_type",
+    "observed_at",
+    "payload_hash",
+    "signature" 
+  ],
+  "properties": {
+    "tenant_id": { "type": "string" },
+    "project_id": { "type": "string" },
+    "sensor_id": { "type": "string" },
+    "firmware_version": { "type": "string" },
+    "policy_hash": { "type": "string" },
+    "graph_revision_id": { "type": "string" },
+    "ledger_id": { "type": "string" },
+    "replay_manifest": { "type": "string" },
+    "event_type": { "enum": ["runtime_fact", "drift", "policy_violation", "heartbeat"] },
+    "observed_at": { "type": "string", "format": "date-time" },
+    "monotonic_nanos": { "type": "integer" },
+    "payload": { "type": "object" },
+    "payload_hash": { "type": "string", "description": "sha256 over canonical JSON (JCS) of payload" },
+    "signature": { "type": "string", "description": "DSSE envelope reference" }
+  }
+}
--- a/docs/modules/zastava/schemas/webhook_admission.schema.json
+++ b/docs/modules/zastava/schemas/webhook_admission.schema.json
@@ -0,0 +1,42 @@
+{
+  "$id": "https://stella-ops.org/schemas/zastava/webhook_admission.schema.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Zastava Webhook Admission",
+  "type": "object",
+  "required": [
+    "tenant_id",
+    "project_id",
+    "request_uid",
+    "resource_kind",
+    "namespace",
+    "workload_name",
+    "policy_hash",
+    "graph_revision_id",
+    "decision",
+    "decision_reason",
+    "decision_at",
+    "manifest_pointer",
+    "signature"
+  ],
+  "properties": {
+    "tenant_id": { "type": "string" },
+    "project_id": { "type": "string" },
+    "request_uid": { "type": "string" },
+    "resource_kind": { "type": "string" },
+    "namespace": { "type": "string" },
+    "workload_name": { "type": "string" },
+    "policy_hash": { "type": "string" },
+    "graph_revision_id": { "type": "string" },
+    "ledger_id": { "type": "string" },
+    "replay_manifest": { "type": "string" },
+    "manifest_pointer": { "type": "string", "description": "Surface.FS manifest pointer" },
+    "decision": { "enum": ["allow", "deny", "dry-run"] },
+    "decision_reason": { "type": "string" },
+    "decision_at": { "type": "string", "format": "date-time" },
+    "monotonic_nanos": { "type": "integer" },
+    "side_effect": { "enum": ["none", "mutating", "bypass"] },
+    "bypass_waiver_id": { "type": "string" },
+    "payload_hash": { "type": "string" },
+    "signature": { "type": "string", "description": "DSSE envelope reference" }
+  }
+}
--- a/docs/modules/zastava/thresholds.yaml
+++ b/docs/modules/zastava/thresholds.yaml
@@ -0,0 +1,17 @@
+version: 1
+updated_at: 2025-12-02T00:00:00Z
+budgets:
+  latency_ms_p95: 250
+  error_rate: 0.01
+  drop_rate: 0.005
+burn_rates:
+  admission_denies_per_min: 5
+  observer_drifts_per_hour: 2
+  heartbeat_miss_minutes: 3
+alerts:
+  threshold_change: true
+  burn_rate_exceeded: true
+  kill_switch_triggered: true
+signing:
+  predicate: stella.ops/zastavaThresholds@v1
+  dsse_required: true