up

docs/09_API_CLI_REFERENCE.md

@@ -629,6 +629,13 @@ See `docs/dev/32_AUTH_CLIENT_GUIDE.md` for recommended profiles (online vs. air-
 | `stellaops-cli config show` | Display resolved configuration | — | Masks secret values; helpful for air‑gapped installs |
 | `stellaops-cli runtime policy test` | Ask Scanner.WebService for runtime verdicts (Webhook parity) | `--image/-i <digest>` (repeatable, comma/space lists supported)<br>`--file/-f <path>`<br>`--namespace/--ns <name>`<br>`--label/-l key=value` (repeatable)<br>`--json` | Posts to `POST /api/v1/scanner/policy/runtime`, deduplicates image digests, and prints TTL/policy revision plus per-image columns for signed state, SBOM referrers, quieted-by metadata, confidence, and Rekor attestation (uuid + verified flag). Accepts newline/whitespace-delimited stdin when piped; `--json` emits the raw response without additional logging. |
 
+`POST /api/v1/scanner/policy/runtime` responds with one entry per digest. Each result now includes:
+
+- `policyVerdict` (`pass|warn|fail|error`), `signed`, and `hasSbomReferrers` parity with the webhook contract.
+- `confidence` (0-1 double) derived from canonical `PolicyPreviewService` evaluation and `quieted`/`quietedBy` flags for muted findings.
+- `rekor` block carrying `uuid`, `url`, and the attestor-backed `verified` boolean when Rekor inclusion proofs have been confirmed.
+- `metadata` (stringified JSON) capturing runtime heuristics, policy issues, evaluated findings, and timestamps for downstream audit.
+
 When running on an interactive terminal without explicit override flags, the CLI uses Spectre.Console prompts to let you choose per-run ORAS/offline bundle behaviour.
 
 Runtime verdict output reflects the SCANNER-RUNTIME-12-302 contract sign-off (quieted provenance, confidence band, attestation verification). CLI-RUNTIME-13-008 now mirrors those fields in both table and `--json` formats.

docs/ARCHITECTURE_ZASTAVA.md

@@ -66,14 +66,15 @@ stellaops/zastava-agent       # System service; watch Docker events; observer on
     "imageRef": "ghcr.io/acme/api@sha256:abcd…",
     "owner": { "kind": "Deployment", "name": "api" }
   },
-  "process": {
-    "pid": 12345,
-    "entrypoint": ["/entrypoint.sh", "--serve"],
-    "entryTrace": [
-      {"file":"/entrypoint.sh","line":3,"op":"exec","target":"/usr/bin/python3"},
-      {"file":"<argv>","op":"python","target":"/opt/app/server.py"}
-    ]
-  },
+  "process": {
+    "pid": 12345,
+    "entrypoint": ["/entrypoint.sh", "--serve"],
+    "entryTrace": [
+      {"file":"/entrypoint.sh","line":3,"op":"exec","target":"/usr/bin/python3"},
+      {"file":"<argv>","op":"python","target":"/opt/app/server.py"}
+    ],
+    "buildId": "9f3a1cd4c0b7adfe91c0e3b51d2f45fb0f76a4c1"
+  },
   "loadedLibs": [
     { "path": "/lib/x86_64-linux-gnu/libssl.so.3", "inode": 123456, "sha256": "…"},
     { "path": "/usr/lib/x86_64-linux-gnu/libcrypto.so.3", "inode": 123457, "sha256": "…"}
@@ -133,7 +134,8 @@ stellaops/zastava-agent       # System service; watch Docker events; observer on
 * **Watch** container lifecycle (start/stop) via CRI (`/run/containerd/containerd.sock` gRPC read‑only) or `/var/log/containers/*.log` tail fallback.
 * **Resolve** container → image digest, mount point rootfs.
 * **Trace entrypoint**: attach **short‑lived** nsenter/exec to PID 1 in container, parse shell for `exec` chain (bounded depth), record **terminal program**.
-* **Sample loaded libs**: read `/proc/<pid>/maps` and `exe` symlink to collect **actually loaded** DSOs; compute **sha256** for each mapped file (bounded count/size).
+* **Sample loaded libs**: read `/proc/<pid>/maps` and `exe` symlink to collect **actually loaded** DSOs; compute **sha256** for each mapped file (bounded count/size).
+* **Record GNU build-id**: parse `NT_GNU_BUILD_ID` from `/proc/<pid>/exe` and attach the normalized hex to runtime events for symbol/debug-store correlation.
 * **Posture check** (cheap):
 
   * Image signature presence (if cosign policies are local; else ask backend).