# StellaOps Zastava

Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks.

## Latest updates (2025-11-30)
- Sprint tracker `docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.md` and module `TASKS.md` added to mirror status.
- Observability runbook stub + dashboard placeholder added under `operations/` (offline import).
- Surface.Env/Surface.Secrets adoption remains pending platform contracts; align with platform docs before enabling sealed mode.

## Responsibilities
- Observe node/container activity and emit runtime events.
- Validate signatures, SBOM presence, and backend verdicts before allowing containers.
- Buffer and replay events during disconnections.
- Trigger delta scans when runtime posture drifts.

## Key components
- `StellaOps.Zastava.Observer` daemonset.
- `StellaOps.Zastava.Webhook` admission controller.
- Shared contracts in `StellaOps.Zastava.Core`.

## Integrations & dependencies
- Authority for OpToks and mTLS.
- Scanner/Scheduler for remediation triggers.
- Notify/UI for runtime alerts and dashboards.

## Operational notes
- Runbook `./operations/observability.md` (stub) plus dashboard placeholder `./operations/dashboards/zastava-observability.json`.
- Legacy runtime runbook assets remain under ./operations if present; keep offline kit bundles deterministic.
- DPoP/mTLS rotation guidance shared with Authority.

## Related resources
- ./operations/runtime.md
- ./operations/runtime-grafana-dashboard.json
- ./operations/runtime-prometheus-rules.yaml

## Backlog references
- ZASTAVA runtime tasks in ../../TASKS.md.
- Webhook smoke tests tracked in src/Zastava/**/TASKS.md.