# Zastava Contract Validators

## Module
Zastava

## Status
IMPLEMENTED

## Description
Runtime and admission contract validators enforcing tenant-scoped binding rules, configuration schema compliance, and threshold-based verdicts for Zastava observer and webhook components.

## Implementation Details
- **ZastavaContractValidator**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaContractValidator.cs` -- validates runtime and admission contracts against schema, tenant scoping, and threshold rules
- **ZastavaContractVersions**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/ZastavaContractVersions.cs` -- versioned contract schemas for observer and webhook
- **RuntimeEvent contract**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/RuntimeEvent.cs` -- runtime event contract model
- **AdmissionDecision contract**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/AdmissionDecision.cs` -- admission decision contract model
- **SurfaceCacheValidator**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Validation/SurfaceCacheValidator.cs` -- validates surface cache consistency
- **ZastavaRuntimeOptions**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Configuration/ZastavaRuntimeOptions.cs` -- runtime configuration schema
- **ZastavaSurfaceSecretsOptions**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Configuration/ZastavaSurfaceSecretsOptions.cs` -- surface secrets configuration
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Contracts/ZastavaContractVersionsTests.cs`, `Validation/OfflineStrictModeTests.cs`
- **Source**: SPRINT_0144_0001_0001_zastava_runtime_signals.md

## E2E Test Plan
- [ ] Verify contract validator enforces tenant-scoped binding rules
- [ ] Test configuration schema compliance for runtime options
- [ ] Verify threshold-based verdict validation rejects out-of-range values
- [ ] Test contract version compatibility checks for schema evolution
- [ ] Verify surface cache validator detects inconsistencies