# Zastava Evidence Locker Plan (schemas/kit)

Artifacts to sign (target 2025-12-06):
- `schemas/observer_event.schema.json` — predicate `stella.ops/zastavaSchema@v1`
- `schemas/webhook_admission.schema.json` — predicate `stella.ops/zastavaSchema@v1`
- `thresholds.yaml` — predicate `stella.ops/zastavaThresholds@v1`
- `zastava-kit.tzst` + `SHA256SUMS` — predicate `stella.ops/zastavaKit@v1`

Planned Evidence Locker paths (fill after signing):
- `evidence-locker/zastava/2025-12-06/observer_event.schema.dsse`
- `evidence-locker/zastava/2025-12-06/webhook_admission.schema.dsse`
- `evidence-locker/zastava/2025-12-06/thresholds.dsse`
- `evidence-locker/zastava/2025-12-06/zastava-kit.tzst`
- `evidence-locker/zastava/2025-12-06/SHA256SUMS`

Signing template (replace KEY and file):
```bash
cosign sign-blob \
  --key cosign.key \
  --predicate-type stella.ops/zastavaSchema@v1 \
  --output-signature schemas/observer_event.schema.dsse \
  schemas/observer_event.schema.json
```

Post-sign steps:
1) Verify DSSEs with `cosign verify-blob` using `cosign.pub`.
2) Upload DSSEs + SHA256SUMS to Evidence Locker paths above.
3) Update `docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md` Decisions & Risks and Next Checkpoints with final URIs.
4) Mark tasks ZASTAVA-SCHEMAS-0001 / ZASTAVA-THRESHOLDS-0001 / ZASTAVA-KIT-0001 to DONE in both sprint and TASKS tables.