stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/features/checked/zastava/zastava-verdict-hashing-and-security.md Normal file
View File

@@ -0,0 +1,29 @@
# Zastava Verdict Hashing and Security
## Module
Zastava
## Status
IMPLEMENTED
## Description
Deterministic verdict hashing for Zastava decisions with security-hardened serialization, supporting DSSE-signed observer and admission schemas and zastava-kit bundle verification.
## Implementation Details
- **ZastavaHashing**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Hashing/ZastavaHashing.cs` -- deterministic hashing for verdict decisions
- **ZastavaCanonicalJsonSerializer**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Serialization/ZastavaCanonicalJsonSerializer.cs` -- RFC 8785 canonical JSON serialization for deterministic hashing
- **IZastavaAuthorityTokenProvider**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/IZastavaAuthorityTokenProvider.cs` -- authority token provider interface
- **ZastavaAuthorityTokenProvider**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaAuthorityTokenProvider.cs` -- OIDC-based token provider for authenticated backend communication
- **ZastavaOperationalToken**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaOperationalToken.cs` -- operational token model
- **AuthorityTokenProvider**: `src/Zastava/StellaOps.Zastava.Webhook/Authority/AuthorityTokenProvider.cs` -- webhook-specific token provider
- **OfflineStrictModeHandler**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Http/OfflineStrictModeHandler.cs` -- HTTP handler enforcing offline/air-gap mode restrictions
- **ZastavaRuntimeMetrics**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Diagnostics/ZastavaRuntimeMetrics.cs` -- metrics for security operations
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Security/ZastavaAuthorityTokenProviderTests.cs`, `Serialization/ZastavaCanonicalJsonSerializerTests.cs`, `Validation/OfflineStrictModeTests.cs`
- **Source**: SPRINT_0144_0001_0001_zastava_runtime_signals.md
## E2E Test Plan
- [ ] Verify deterministic hashing produces identical hashes for equivalent verdicts
- [ ] Test canonical JSON serialization follows RFC 8785 for reproducible output
- [ ] Verify authority token provider obtains and refreshes OIDC tokens
- [ ] Test offline strict mode blocks external HTTP calls in air-gapped deployments
- [ ] Verify verdict hash chain integrity across observer restarts