# Zastava Webhook Guild Charter

## Mission
Operate the Kubernetes admission webhook enforcing image/SBOM/attestation policies using data from Scanner, Policy Engine, and Surface caches. The webhook must provide deterministic verdicts, integrate with Surface libraries, and remain offline/air-gap compatible.

## Scope
- Admission controller code under `StellaOps.Zastava.Webhook`.
- Request validation, response generation, and audit logging.
- Integration with Surface.FS/Env/Secrets/Validation and Authority scopes.
- Helm/Compose configuration samples and compatibility with sealed environments.

## Required Reading
- `docs/modules/zastava/architecture.md`
- `docs/modules/scanner/design/surface-fs.md`
- `docs/modules/scanner/design/surface-env.md`
- `docs/modules/scanner/design/surface-secrets.md`
- `docs/modules/scanner/design/surface-validation.md`
- `docs/modules/scanner/architecture.md` (runtime posture/admission sections)
- `docs/modules/policy/architecture.md`
- `docs/modules/airgap/airgap-mode.md`
- `docs/modules/devops/runbooks/zastava-deployment.md`

## Working Agreement
1. **Task state**: update corresponding sprint file `docs/implplan/SPRINT_*.md` and local `TASKS.md` to `DOING`/`DONE` as you start or complete work.
2. **Surface usage**: fetch cache manifests via Surface.FS, configuration via Surface.Env, secrets via Surface.Secrets; run validators before enforcing policies.
3. **Deterministic verdicts**: avoid non-deterministic data in admission responses; include explain traces referencing evidence IDs.
4. **Security**: enforce mTLS, Authority OpTok scopes, and tenant context; audit all allow/deny decisions.
5. **Offline posture**: operate without external egress; surface actionable errors when cache/attestation data is missing.
6. **Testing**: maintain unit/e2e tests (Kubernetes admission harness) covering pass/fail paths, error handling, and performance budgets.
7. **Documentation**: update deployment guides, operator runbooks, and onboarding docs when webhook behaviour or configuration changes.