save checkpoint
This commit is contained in:
master
@@ -0,0 +1,28 @@
|
||||
# ELF Build-ID Correlation and DSO Tracking
|
||||
|
||||
## Module
|
||||
Zastava
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
ELF Build-ID reader for correlating runtime binaries with SBOM entries and collecting runtime process facts including DSO information.
|
||||
|
||||
## Implementation Details
|
||||
- **ElfBuildIdReader**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/ElfBuildIdReader.cs` -- reads ELF Build-ID from binaries for SBOM correlation
|
||||
- **RuntimeProcessCollector**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/RuntimeProcessCollector.cs` -- collects running process information including DSO (dynamic shared object) data
|
||||
- **RuntimeFactsBuilder**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/RuntimeFactsBuilder.cs` -- builds runtime facts from process snapshots and ELF data
|
||||
- **ProcSnapshotCollector**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/ProcSnapshot/ProcSnapshotCollector.cs` -- collects /proc snapshot data for running containers
|
||||
- **DotNetAssemblyCollector**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/ProcSnapshot/DotNetAssemblyCollector.cs` -- .NET assembly DSO tracking
|
||||
- **JavaClasspathCollector**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/ProcSnapshot/JavaClasspathCollector.cs` -- Java classpath DSO tracking
|
||||
- **PhpAutoloadCollector**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/ProcSnapshot/PhpAutoloadCollector.cs` -- PHP autoload DSO tracking
|
||||
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/Runtime/ElfBuildIdReaderTests.cs`, `RuntimeProcessCollectorTests.cs`, `RuntimeFactsBuilderTests.cs`, `TestSupport/ElfTestFileBuilder.cs`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify ELF Build-ID extraction from container binaries matches SBOM entries
|
||||
- [ ] Test DSO tracking for .NET assemblies, Java classpaths, and PHP autoloads
|
||||
- [ ] Verify runtime facts builder produces complete process inventory with Build-IDs
|
||||
- [ ] Test correlation between ELF Build-IDs and SBOM component digests
|
||||
- [ ] Verify /proc snapshot captures all loaded shared objects for a container process
|
||||
29
docs/features/checked/zastava/runtime-posture-evaluation.md
Normal file
29
docs/features/checked/zastava/runtime-posture-evaluation.md
Normal file
@@ -0,0 +1,29 @@
|
||||
# Runtime Posture Evaluation
|
||||
|
||||
## Module
|
||||
Zastava
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Runtime posture evaluator that assesses the security posture of running containers with caching support.
|
||||
|
||||
## Implementation Details
|
||||
- **IRuntimePostureEvaluator interface**: `src/Zastava/StellaOps.Zastava.Observer/Posture/IRuntimePostureEvaluator.cs` -- evaluates runtime security posture of containers
|
||||
- **RuntimePostureEvaluator**: `src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureEvaluator.cs` -- default posture evaluation implementation
|
||||
- **RuntimePostureEvaluationResult**: `src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureEvaluationResult.cs` -- evaluation result model
|
||||
- **IRuntimePostureCache**: `src/Zastava/StellaOps.Zastava.Observer/Posture/IRuntimePostureCache.cs` -- caching interface for posture evaluations
|
||||
- **RuntimePostureCache**: `src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureCache.cs` -- in-memory cache for posture results
|
||||
- **RuntimePostureCacheEntry**: `src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureCacheEntry.cs` -- cache entry model
|
||||
- **IRuntimePolicyClient**: `src/Zastava/StellaOps.Zastava.Observer/Backend/IRuntimePolicyClient.cs` -- client for runtime policy evaluation backend
|
||||
- **RuntimePolicyClient**: `src/Zastava/StellaOps.Zastava.Observer/Backend/RuntimePolicyClient.cs` -- runtime policy client implementation
|
||||
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/Posture/RuntimePostureEvaluatorTests.cs`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify posture evaluator assesses container security state from runtime facts
|
||||
- [ ] Test posture cache returns cached results for repeated evaluations within TTL
|
||||
- [ ] Verify posture evaluation integrates with runtime policy backend
|
||||
- [ ] Test cache invalidation on container state change
|
||||
- [ ] Verify evaluation results include posture score and risk indicators
|
||||
@@ -0,0 +1,27 @@
|
||||
# Verdict Observer/Validator/Ledger
|
||||
|
||||
## Module
|
||||
Zastava
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Verdict subsystem with observer, validator, and ledger interfaces for tracking security verdicts at runtime.
|
||||
|
||||
## Implementation Details
|
||||
- **IVerdictObserver interface**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Verdicts/IVerdictObserver.cs` -- observes and records verdict decisions
|
||||
- **IVerdictValidator interface**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Verdicts/IVerdictValidator.cs` -- validates verdict integrity and consistency
|
||||
- **IVerdictLedger interface**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Verdicts/IVerdictLedger.cs` -- append-only ledger for verdict history
|
||||
- **VerdictObserverContracts**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Verdicts/VerdictObserverContracts.cs` -- verdict DTOs and contract models
|
||||
- **AdmissionDecision**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/AdmissionDecision.cs` -- admission verdict decision model
|
||||
- **ZastavaContractVersions**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/ZastavaContractVersions.cs` -- contract versioning for verdict schemas
|
||||
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Contracts/ZastavaContractVersionsTests.cs`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify verdict observer records admission decisions with full context
|
||||
- [ ] Test verdict validator checks decision integrity (hash, signature, timestamp)
|
||||
- [ ] Verify verdict ledger provides append-only history with immutable entries
|
||||
- [ ] Test contract versioning handles schema evolution
|
||||
- [ ] Verify verdict chain maintains consistency across observer restarts
|
||||
@@ -0,0 +1,27 @@
|
||||
# Windows Container Runtime Support
|
||||
|
||||
## Module
|
||||
Zastava
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Windows container runtime monitoring with ETW event source integration, PE format library hashing, and Windows-specific container lifecycle tracking within the Zastava Observer.
|
||||
|
||||
## Implementation Details
|
||||
- **IWindowsContainerRuntimeClient interface**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Windows/IWindowsContainerRuntimeClient.cs` -- Windows-specific container runtime client
|
||||
- **DockerWindowsRuntimeClient**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Windows/DockerWindowsRuntimeClient.cs` -- Docker for Windows runtime client implementation
|
||||
- **WindowsContainerInfo**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Windows/WindowsContainerInfo.cs` -- Windows container metadata model
|
||||
- **WindowsLibraryHashCollector**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Windows/WindowsLibraryHashCollector.cs` -- PE format library hashing for Windows DLLs
|
||||
- **ContainerStateTracker**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/ContainerStateTracker.cs` -- shared container lifecycle state tracking
|
||||
- **ContainerStateTrackerFactory**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/ContainerStateTrackerFactory.cs` -- factory for creating state trackers per runtime type
|
||||
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/ContainerRuntime/Windows/WindowsContainerRuntimeTests.cs`
|
||||
- **Source**: SPRINT_0420_0001_0001_zastava_hybrid_gaps.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify Docker for Windows runtime client enumerates running Windows containers
|
||||
- [ ] Test PE format library hashing collects DLL hashes for SBOM correlation
|
||||
- [ ] Verify Windows container lifecycle tracking (start/stop/restart)
|
||||
- [ ] Test container state tracker handles Windows-specific container states
|
||||
- [ ] Verify Windows library hash collector supports .NET Framework and .NET Core DLLs
|
||||
34
docs/features/checked/zastava/zastava-admission-webhook.md
Normal file
34
docs/features/checked/zastava/zastava-admission-webhook.md
Normal file
@@ -0,0 +1,34 @@
|
||||
# Zastava Admission Webhook
|
||||
|
||||
## Module
|
||||
Zastava
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Full admission webhook with policy-based container admission control, facet validation, image digest resolution, and admission review parsing.
|
||||
|
||||
## Implementation Details
|
||||
- **AdmissionEndpoint**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionEndpoint.cs` -- webhook endpoint handling admission review requests
|
||||
- **AdmissionReviewParser**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewParser.cs` -- parses Kubernetes AdmissionReview payloads
|
||||
- **AdmissionReviewModels**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewModels.cs` -- admission review request/response models
|
||||
- **AdmissionResponseBuilder**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionResponseBuilder.cs` -- builds allow/deny responses with status and audit annotations
|
||||
- **AdmissionRequestContext**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionRequestContext.cs` -- contextual data for admission evaluation
|
||||
- **FacetAdmissionValidator**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/FacetAdmissionValidator.cs` -- facet-based validation rules
|
||||
- **ImageDigestResolver**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/ImageDigestResolver.cs` -- resolves image tags to digests
|
||||
- **RuntimeAdmissionPolicyService**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimeAdmissionPolicyService.cs` -- evaluates runtime admission policies
|
||||
- **RuntimePolicyCache**: `src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimePolicyCache.cs` -- caches policy decisions
|
||||
- **Certificate management**: `src/Zastava/StellaOps.Zastava.Webhook/Certificates/` -- `IWebhookCertificateProvider`, `SecretFileCertificateSource`, `CsrCertificateSource`, `WebhookCertificateHealthCheck`
|
||||
- **StartupValidationHostedService**: `src/Zastava/StellaOps.Zastava.Webhook/Hosting/StartupValidationHostedService.cs` -- validates webhook configuration on startup
|
||||
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Admission/` -- `AdmissionResponseBuilderTests.cs`, `AdmissionReviewParserTests.cs`, `FacetAdmissionValidatorTests.cs`, `RuntimeAdmissionPolicyServiceTests.cs`; `Certificates/` -- `SecretFileCertificateSourceTests.cs`, `WebhookCertificateProviderTests.cs`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify webhook accepts and parses Kubernetes AdmissionReview requests
|
||||
- [ ] Test image digest resolution converts tags to sha256 digests before evaluation
|
||||
- [ ] Verify facet-based admission rules allow/deny containers based on policy
|
||||
- [ ] Test runtime admission policy service evaluates verdicts from backend
|
||||
- [ ] Verify admission response includes audit annotations for allowed/denied decisions
|
||||
- [ ] Test certificate management handles TLS renewal and health checks
|
||||
- [ ] Verify policy cache reduces latency for repeated admission evaluations
|
||||
31
docs/features/checked/zastava/zastava-agent.md
Normal file
31
docs/features/checked/zastava/zastava-agent.md
Normal file
@@ -0,0 +1,31 @@
|
||||
# Zastava Agent (VM/Bare-Metal Docker Socket Deployment)
|
||||
|
||||
## Module
|
||||
Zastava
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Standalone agent for VM and bare-metal hosts that monitors Docker socket events for container lifecycle tracking. Alternative to the CRI-based Observer for non-Kubernetes environments, with systemd service deployment and Ansible provisioning support.
|
||||
|
||||
## Implementation Details
|
||||
- **Agent Program**: `src/Zastava/StellaOps.Zastava.Agent/Program.cs` -- standalone agent entry point
|
||||
- **DockerSocketClient**: `src/Zastava/StellaOps.Zastava.Agent/Docker/DockerSocketClient.cs` -- Docker socket client for monitoring container events via Unix/named pipe socket
|
||||
- **IDockerSocketClient**: `src/Zastava/StellaOps.Zastava.Agent/Docker/IDockerSocketClient.cs` -- Docker socket client interface
|
||||
- **DockerEventModels**: `src/Zastava/StellaOps.Zastava.Agent/Docker/DockerEventModels.cs` -- Docker event payload models (start, stop, die, etc.)
|
||||
- **DockerEventHostedService**: `src/Zastava/StellaOps.Zastava.Agent/Worker/DockerEventHostedService.cs` -- background service consuming Docker socket events
|
||||
- **RuntimeEventBuffer**: `src/Zastava/StellaOps.Zastava.Agent/Worker/RuntimeEventBuffer.cs` -- buffers runtime events for batch dispatch
|
||||
- **RuntimeEventDispatchService**: `src/Zastava/StellaOps.Zastava.Agent/Worker/RuntimeEventDispatchService.cs` -- dispatches buffered events to backend
|
||||
- **RuntimeEventsClient**: `src/Zastava/StellaOps.Zastava.Agent/Backend/RuntimeEventsClient.cs` -- HTTP client for posting events to platform backend
|
||||
- **HealthCheckHostedService**: `src/Zastava/StellaOps.Zastava.Agent/Worker/HealthCheckHostedService.cs` -- agent health check background service
|
||||
- **ZastavaAgentOptions**: `src/Zastava/StellaOps.Zastava.Agent/Configuration/ZastavaAgentOptions.cs` -- agent configuration
|
||||
- **AgentServiceCollectionExtensions**: `src/Zastava/StellaOps.Zastava.Agent/Worker/AgentServiceCollectionExtensions.cs` -- DI registration
|
||||
- **Source**: SPRINT_0420_0001_0001_zastava_hybrid_gaps.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify agent connects to Docker socket and receives container lifecycle events
|
||||
- [ ] Test event buffering and batch dispatch to platform backend
|
||||
- [ ] Verify agent handles Docker socket reconnection on connection loss
|
||||
- [ ] Test health check service reports agent status
|
||||
- [ ] Verify agent works on both Linux (Unix socket) and Windows (named pipe) hosts
|
||||
28
docs/features/checked/zastava/zastava-contract-validators.md
Normal file
28
docs/features/checked/zastava/zastava-contract-validators.md
Normal file
@@ -0,0 +1,28 @@
|
||||
# Zastava Contract Validators
|
||||
|
||||
## Module
|
||||
Zastava
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Runtime and admission contract validators enforcing tenant-scoped binding rules, configuration schema compliance, and threshold-based verdicts for Zastava observer and webhook components.
|
||||
|
||||
## Implementation Details
|
||||
- **ZastavaContractValidator**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaContractValidator.cs` -- validates runtime and admission contracts against schema, tenant scoping, and threshold rules
|
||||
- **ZastavaContractVersions**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/ZastavaContractVersions.cs` -- versioned contract schemas for observer and webhook
|
||||
- **RuntimeEvent contract**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/RuntimeEvent.cs` -- runtime event contract model
|
||||
- **AdmissionDecision contract**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/AdmissionDecision.cs` -- admission decision contract model
|
||||
- **SurfaceCacheValidator**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Validation/SurfaceCacheValidator.cs` -- validates surface cache consistency
|
||||
- **ZastavaRuntimeOptions**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Configuration/ZastavaRuntimeOptions.cs` -- runtime configuration schema
|
||||
- **ZastavaSurfaceSecretsOptions**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Configuration/ZastavaSurfaceSecretsOptions.cs` -- surface secrets configuration
|
||||
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Contracts/ZastavaContractVersionsTests.cs`, `Validation/OfflineStrictModeTests.cs`
|
||||
- **Source**: SPRINT_0144_0001_0001_zastava_runtime_signals.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify contract validator enforces tenant-scoped binding rules
|
||||
- [ ] Test configuration schema compliance for runtime options
|
||||
- [ ] Verify threshold-based verdict validation rejects out-of-range values
|
||||
- [ ] Test contract version compatibility checks for schema evolution
|
||||
- [ ] Verify surface cache validator detects inconsistencies
|
||||
35
docs/features/checked/zastava/zastava-runtime-observer.md
Normal file
35
docs/features/checked/zastava/zastava-runtime-observer.md
Normal file
@@ -0,0 +1,35 @@
|
||||
# Zastava Runtime Observer (CRI Container Lifecycle Tracking)
|
||||
|
||||
## Module
|
||||
Zastava
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Full CRI-based container runtime observer with lifecycle tracking, state tracking, and polling. Supports both CRI (Linux) and Docker Windows runtimes.
|
||||
|
||||
## Implementation Details
|
||||
- **Observer Program**: `src/Zastava/StellaOps.Zastava.Observer/Program.cs` -- CRI-based observer entry point
|
||||
- **CRI runtime**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Cri/` -- `CriRuntimeClient.cs`, `CriRuntimeClientFactory.cs`, `CriModels.cs`, `CriConversions.cs` for CRI socket-based container monitoring
|
||||
- **ContainerStateTracker**: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/ContainerStateTracker.cs` -- tracks container lifecycle state transitions
|
||||
- **ContainerLifecycleHostedService**: `src/Zastava/StellaOps.Zastava.Observer/Worker/ContainerLifecycleHostedService.cs` -- background service for lifecycle event processing
|
||||
- **ContainerRuntimePoller**: `src/Zastava/StellaOps.Zastava.Observer/Worker/ContainerRuntimePoller.cs` -- polls container runtime for state changes
|
||||
- **RuntimeEventBuffer**: `src/Zastava/StellaOps.Zastava.Observer/Runtime/RuntimeEventBuffer.cs` -- buffers events before dispatch
|
||||
- **RuntimeEventDispatchService**: `src/Zastava/StellaOps.Zastava.Observer/Worker/RuntimeEventDispatchService.cs` -- dispatches events to backend
|
||||
- **RuntimeEventFactory**: `src/Zastava/StellaOps.Zastava.Observer/Worker/RuntimeEventFactory.cs` -- creates typed runtime events
|
||||
- **ObserverBootstrapService**: `src/Zastava/StellaOps.Zastava.Observer/Worker/ObserverBootstrapService.cs` -- observer startup and initialization
|
||||
- **BackoffCalculator**: `src/Zastava/StellaOps.Zastava.Observer/Worker/BackoffCalculator.cs` -- exponential backoff for retry logic
|
||||
- **RuntimeFactsClient**: `src/Zastava/StellaOps.Zastava.Observer/Backend/RuntimeFactsClient.cs` -- client for posting runtime facts to backend
|
||||
- **RuntimeEventsClient**: `src/Zastava/StellaOps.Zastava.Observer/Backend/RuntimeEventsClient.cs` -- client for posting runtime events
|
||||
- **ZastavaObserverOptions**: `src/Zastava/StellaOps.Zastava.Observer/Configuration/ZastavaObserverOptions.cs` -- observer configuration
|
||||
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/` -- `ContainerRuntimePollerTests.cs`, `Runtime/RuntimeEventBufferTests.cs`, `Worker/RuntimeEventFactoryTests.cs`, `Backend/RuntimeEventsClientTests.cs`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify CRI runtime client connects to CRI socket and lists containers
|
||||
- [ ] Test container state tracker detects start/stop/restart lifecycle events
|
||||
- [ ] Verify runtime event buffer batches and dispatches events efficiently
|
||||
- [ ] Test both Linux CRI and Windows Docker runtime support
|
||||
- [ ] Verify observer bootstrap initializes and recovers from failures with backoff
|
||||
- [ ] Test runtime facts and events are posted to backend clients
|
||||
@@ -0,0 +1,29 @@
|
||||
# Zastava Verdict Hashing and Security
|
||||
|
||||
## Module
|
||||
Zastava
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Deterministic verdict hashing for Zastava decisions with security-hardened serialization, supporting DSSE-signed observer and admission schemas and zastava-kit bundle verification.
|
||||
|
||||
## Implementation Details
|
||||
- **ZastavaHashing**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Hashing/ZastavaHashing.cs` -- deterministic hashing for verdict decisions
|
||||
- **ZastavaCanonicalJsonSerializer**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Serialization/ZastavaCanonicalJsonSerializer.cs` -- RFC 8785 canonical JSON serialization for deterministic hashing
|
||||
- **IZastavaAuthorityTokenProvider**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/IZastavaAuthorityTokenProvider.cs` -- authority token provider interface
|
||||
- **ZastavaAuthorityTokenProvider**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaAuthorityTokenProvider.cs` -- OIDC-based token provider for authenticated backend communication
|
||||
- **ZastavaOperationalToken**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaOperationalToken.cs` -- operational token model
|
||||
- **AuthorityTokenProvider**: `src/Zastava/StellaOps.Zastava.Webhook/Authority/AuthorityTokenProvider.cs` -- webhook-specific token provider
|
||||
- **OfflineStrictModeHandler**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Http/OfflineStrictModeHandler.cs` -- HTTP handler enforcing offline/air-gap mode restrictions
|
||||
- **ZastavaRuntimeMetrics**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Diagnostics/ZastavaRuntimeMetrics.cs` -- metrics for security operations
|
||||
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Security/ZastavaAuthorityTokenProviderTests.cs`, `Serialization/ZastavaCanonicalJsonSerializerTests.cs`, `Validation/OfflineStrictModeTests.cs`
|
||||
- **Source**: SPRINT_0144_0001_0001_zastava_runtime_signals.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify deterministic hashing produces identical hashes for equivalent verdicts
|
||||
- [ ] Test canonical JSON serialization follows RFC 8785 for reproducible output
|
||||
- [ ] Verify authority token provider obtains and refreshes OIDC tokens
|
||||
- [ ] Test offline strict mode blocks external HTTP calls in air-gapped deployments
|
||||
- [ ] Verify verdict hash chain integrity across observer restarts
|
||||
Reference in New Issue
Block a user