# Sprint 144 - Runtime & Signals · 140.D) Zastava

## Topic & Scope
- Runtime & Signals focus on Zastava — observer and webhook Surface integration.
- Keep cache/env/secrets wiring aligned with Surface helpers and enforce Surface.FS for admission decisions.
- Working directory: `src/Zastava` (Observer + Webhook).

## Dependencies & Concurrency
- Depends on Sprint 120.A - AirGap and Sprint 130.A - Scanner.
- For any BLOCKED tasks, review `BLOCKED_DEPENDENCY_TREE.md` before resuming work.

## Documentation Prerequisites
- docs/README.md
- docs/modules/platform/architecture-overview.md
- docs/modules/zastava/architecture.md

## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | ZASTAVA-ENV-01 | DONE | Surface.Env helpers available | Zastava Observer Guild (`src/Zastava/StellaOps.Zastava.Observer`) | Adopt Surface.Env helpers for cache endpoints, secret refs, and feature toggles. |
| 2 | ZASTAVA-ENV-02 | DONE | Depends on ZASTAVA-ENV-01 | Zastava Webhook Guild (`src/Zastava/StellaOps.Zastava.Webhook`) | Switch webhook configuration to Surface.Env helpers for cache endpoint, secret refs, and feature toggles. |
| 3 | ZASTAVA-SECRETS-01 | DONE | Completed | Zastava Observer Guild; Security Guild (`src/Zastava/StellaOps.Zastava.Observer`) | Retrieve CAS/attestation access via Surface.Secrets instead of inline secret stores. |
| 4 | ZASTAVA-SECRETS-02 | DONE | Depends on ZASTAVA-SECRETS-01 | Zastava Webhook Guild; Security Guild (`src/Zastava/StellaOps.Zastava.Webhook`) | Retrieve attestation verification secrets via Surface.Secrets. |
| 5 | ZASTAVA-SURFACE-01 | DONE | Tests verified 2025-11-27 | Zastava Observer Guild (`src/Zastava/StellaOps.Zastava.Observer`) | Integrate Surface.FS client for runtime drift detection (cached layer hashes/entry traces). Observer unit tests now pass; offline `local-nuget` copies required for gRPC packages. |
| 6 | ZASTAVA-SURFACE-02 | DONE | Depends on ZASTAVA-SURFACE-01 | Zastava Webhook Guild (`src/Zastava/StellaOps.Zastava.Webhook`) | Enforce Surface.FS availability during admission (deny when cache missing/stale) and embed pointer checks in webhook response. |

## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |

## Decisions & Risks
- All Zastava runtime/signal tasks completed; Surface.FS integration verified.
- No open blockers; revisit Surface.FS/offline cache freshness if Scanner deliverables change.

## Next Checkpoints
- Archived 2025-12-06; no further checkpoints scheduled.