stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Add VEX Lens CI and Load Testing Plan
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details

Browse Source 
- Introduced a comprehensive CI job structure for VEX Lens, including build, test, linting, and load testing.
- Defined load test parameters and SLOs for VEX Lens API and Issuer Directory.
- Created Grafana dashboards and alerting mechanisms for monitoring API performance and error rates.
- Established offline posture guidelines for CI jobs and load testing.

feat: Implement deterministic projection verification script

- Added `verify_projection.sh` script for verifying the integrity of projection exports against expected hashes.
- Ensured robust error handling for missing files and hash mismatches.

feat: Develop Vuln Explorer CI and Ops Plan

- Created CI jobs for Vuln Explorer, including build, test, and replay verification.
- Implemented backup and disaster recovery strategies for MongoDB and Redis.
- Established Merkle anchoring verification and automation for ledger projector.

feat: Introduce EventEnvelopeHasher for hashing event envelopes

- Implemented `EventEnvelopeHasher` to compute SHA256 hashes for event envelopes.

feat: Add Risk Store and Dashboard components

- Developed `RiskStore` for managing risk data and state.
- Created `RiskDashboardComponent` for displaying risk profiles with filtering capabilities.
- Implemented unit tests for `RiskStore` and `RiskDashboardComponent`.

feat: Enhance Vulnerability Detail Component

- Developed `VulnerabilityDetailComponent` for displaying detailed information about vulnerabilities.
- Implemented error handling for missing vulnerability IDs and loading failures.
This commit is contained in:
StellaOps Bot
2025-12-02 07:18:28 +02:00
parent 44171930ff
commit 885ce86af4
83 changed files with 2090 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
docs/modules/zastava/gaps/2025-12-02-zr-gaps.md Normal file
View File

@@ -0,0 +1,49 @@
# Zastava Runtime Signals Gaps (ZR1ZR10)
**Source:** `docs/product-advisories/31-Nov-2025 FINDINGS.md`
**Compiled:** 2025-12-02 (UTC)
**Scope:** Close ZR1ZR10 for Observer + Webhook (Surface.Env/Secrets/FS) with offline parity and auditability.
## Gap remediation summary
- **ZR1 · Canonical schemas & hashing**
- Publish signed JSON Schemas for Observer emission and Webhook admission envelopes under `docs/modules/zastava/schemas/`.
- Enforce JCS canonical JSON; compute `sha256` over canonical form; include test vectors.
- Validators reject non-canonical payloads; DSSE required on bundles.
- **ZR2 · Tenant isolation & scope binding**
- Require `tenant_id` and `project_id` on all Observer/Webhook requests; fail closed on missing/ambiguous values.
- Add tenancy annotations to DSSE envelopes and enforce tenancy in admission allowlist.
- Add cross-tenant negative tests.
- **ZR3 · Determinism & time source**
- Use monotonic clock + UTC; standardize ordering: `tenant -> namespace -> workload -> digest`.
- Add multi-run hash CI to ensure stable serialization.
- **ZR4 · Provenance & signer identity**
- Require DSSE envelopes with fields: `sensor_id`, `firmware_version`, `policy_hash`, `graph_revision_id`, `signer_key_id`.
- Reject unsigned/unknown signer; log provenance to CAS.
- **ZR5 · Admission side-effects & escape hatches**
- Side-effect allowlist documented; deny non-listed hooks.
- Bypass/debug require dual approval and DSSE waiver with expiry; log and alert on use.
- **ZR6 · Offline/air-gap parity**
- Provide `zastava-kit` bundle (admissions + observations + schemas + DSSE + hashes) with deterministic tar flags (`--mtime @0 --owner 0 --group 0 --numeric-owner | zstd -19 --long=27`).
- Include `verify.sh` for hash/signature/tenant checks; no network dependencies.
- **ZR7 · Replay/audit linkage**
- Embed `ledger_id` and `replay_manifest` refs in events/admissions; store in CAS.
- Export linkage in offline kit and Evidence Locker.
- **ZR8 · Thresholds, burn-rate & anomaly policy**
- Versioned `thresholds.yaml` with DSSE signatures; change log required.
- Alerts on threshold change; publish budgets (latency, error rate, drop rate).
- **ZR9 · PII/redaction & log hygiene**
- Redaction allowlist + size limits; CI + ingest PII/secret scan.
- Truncate with omission counts; include `redaction_manifest` in DSSE annotations.
- **ZR10 · Health, kill-switch & fallback**
- Fault counter + kill-switch with DSSE-signed disable record.
- Configurable fail-open/closed (default fail-closed for admission); manual re-enable requires DSSE record.
## Artefacts created
- This remediation plan: `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md` (to be cross-linked from sprint 0144 and TASKS).
- Delivery paths for schemas/thresholds/kit will be added when produced; DSSE signatures required for all artefacts.
## Next steps
1) Generate schemas + test vectors and place under `docs/modules/zastava/schemas/`; sign DSSE.
2) Draft `thresholds.yaml` with budgets and sign DSSE.
3) Build `zastava-kit` bundle + `verify.sh`; include Evidence Locker path and SHA256.
4) Add tenancy/ordering/provenance enforcement to Observer/Webhook validators and tests; mirror changes in sprint and TASKS boards.