stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Refactor code structure for improved readability and maintainability
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-06 21:48:12 +02:00
parent f6c22854a4
commit dd0067ea0b
105 changed files with 12662 additions and 427 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
docs/implplan/SPRINT_0144_0001_0001_zastava.md
View File

@@ -1,17 +1,36 @@
# Sprint 144 - Runtime & Signals · 140.D) Zastava
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Topic & Scope
- Runtime & Signals focus on Zastava — observer and webhook Surface integration.
- Keep cache/env/secrets wiring aligned with Surface helpers and enforce Surface.FS for admission decisions.
- Working directory: `src/Zastava` (Observer + Webhook).
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
## Dependencies & Concurrency
- Depends on Sprint 120.A - AirGap and Sprint 130.A - Scanner.
- For any BLOCKED tasks, review `BLOCKED_DEPENDENCY_TREE.md` before resuming work.
[Runtime & Signals] 140.D) Zastava
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner
Summary: Runtime & Signals focus on Zastava — observer and webhook Surface integration.
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ZASTAVA-ENV-01 | DONE | Adopt Surface.Env helpers for cache endpoints, secret refs, and feature toggles. | Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer)
ZASTAVA-ENV-02 | DONE | Switch to Surface.Env helpers for webhook configuration (cache endpoint, secret refs, feature toggles). Dependencies: ZASTAVA-ENV-01. | Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook)
ZASTAVA-SECRETS-01 | DONE | Retrieve CAS/attestation access via Surface.Secrets instead of inline secret stores. | Zastava Observer Guild, Security Guild (src/Zastava/StellaOps.Zastava.Observer)
ZASTAVA-SECRETS-02 | DONE | Retrieve attestation verification secrets via Surface.Secrets. Dependencies: ZASTAVA-SECRETS-01. | Zastava Webhook Guild, Security Guild (src/Zastava/StellaOps.Zastava.Webhook)
ZASTAVA-SURFACE-01 | DONE | Integrate Surface.FS client for runtime drift detection (lookup cached layer hashes/entry traces).<br>2025-10-24: Observer unit tests pending; `dotnet restore` needs offline copies of `Google.Protobuf`, `Grpc.Net.Client`, and `Grpc.Tools` in `local-nuget` before verification.<br>2025-11-27: All tests pass; Surface.FS integration verified. | Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer)
ZASTAVA-SURFACE-02 | DONE | Enforce Surface.FS availability during admission (deny when cache missing/stale) and embed pointer checks in webhook response. Dependencies: ZASTAVA-SURFACE-01. | Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook)
## Documentation Prerequisites
- docs/README.md
- docs/modules/platform/architecture-overview.md
- docs/modules/zastava/architecture.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | ZASTAVA-ENV-01 | DONE | Surface.Env helpers available | Zastava Observer Guild (`src/Zastava/StellaOps.Zastava.Observer`) | Adopt Surface.Env helpers for cache endpoints, secret refs, and feature toggles. |
| 2 | ZASTAVA-ENV-02 | DONE | Depends on ZASTAVA-ENV-01 | Zastava Webhook Guild (`src/Zastava/StellaOps.Zastava.Webhook`) | Switch webhook configuration to Surface.Env helpers for cache endpoint, secret refs, and feature toggles. |
| 3 | ZASTAVA-SECRETS-01 | DONE | Completed | Zastava Observer Guild; Security Guild (`src/Zastava/StellaOps.Zastava.Observer`) | Retrieve CAS/attestation access via Surface.Secrets instead of inline secret stores. |
| 4 | ZASTAVA-SECRETS-02 | DONE | Depends on ZASTAVA-SECRETS-01 | Zastava Webhook Guild; Security Guild (`src/Zastava/StellaOps.Zastava.Webhook`) | Retrieve attestation verification secrets via Surface.Secrets. |
| 5 | ZASTAVA-SURFACE-01 | DONE | Tests verified 2025-11-27 | Zastava Observer Guild (`src/Zastava/StellaOps.Zastava.Observer`) | Integrate Surface.FS client for runtime drift detection (cached layer hashes/entry traces). Observer unit tests now pass; offline `local-nuget` copies required for gRPC packages. |
| 6 | ZASTAVA-SURFACE-02 | DONE | Depends on ZASTAVA-SURFACE-01 | Zastava Webhook Guild (`src/Zastava/StellaOps.Zastava.Webhook`) | Enforce Surface.FS availability during admission (deny when cache missing/stale) and embed pointer checks in webhook response. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
## Decisions & Risks
- All Zastava runtime/signal tasks completed; Surface.FS integration verified.
- No open blockers; revisit Surface.FS/offline cache freshness if Scanner deliverables change.
## Next Checkpoints
- Archived 2025-12-06; no further checkpoints scheduled.