# Zastava Verdict Hashing and Security

## Module
Zastava

## Status
IMPLEMENTED

## Description
Deterministic verdict hashing for Zastava decisions with security-hardened serialization, supporting DSSE-signed observer and admission schemas and zastava-kit bundle verification.

## Implementation Details
- **ZastavaHashing**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Hashing/ZastavaHashing.cs` -- deterministic hashing for verdict decisions
- **ZastavaCanonicalJsonSerializer**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Serialization/ZastavaCanonicalJsonSerializer.cs` -- RFC 8785 canonical JSON serialization for deterministic hashing
- **IZastavaAuthorityTokenProvider**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/IZastavaAuthorityTokenProvider.cs` -- authority token provider interface
- **ZastavaAuthorityTokenProvider**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaAuthorityTokenProvider.cs` -- OIDC-based token provider for authenticated backend communication
- **ZastavaOperationalToken**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaOperationalToken.cs` -- operational token model
- **AuthorityTokenProvider**: `src/Zastava/StellaOps.Zastava.Webhook/Authority/AuthorityTokenProvider.cs` -- webhook-specific token provider
- **OfflineStrictModeHandler**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Http/OfflineStrictModeHandler.cs` -- HTTP handler enforcing offline/air-gap mode restrictions
- **ZastavaRuntimeMetrics**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Diagnostics/ZastavaRuntimeMetrics.cs` -- metrics for security operations
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Security/ZastavaAuthorityTokenProviderTests.cs`, `Serialization/ZastavaCanonicalJsonSerializerTests.cs`, `Validation/OfflineStrictModeTests.cs`
- **Source**: SPRINT_0144_0001_0001_zastava_runtime_signals.md

## E2E Test Plan
- [ ] Verify deterministic hashing produces identical hashes for equivalent verdicts
- [ ] Test canonical JSON serialization follows RFC 8785 for reproducible output
- [ ] Verify authority token provider obtains and refreshes OIDC tokens
- [ ] Test offline strict mode blocks external HTTP calls in air-gapped deployments
- [ ] Verify verdict hash chain integrity across observer restarts