# StellaOps Zastava Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks. ## Latest updates (2025-12-02) - DSSE-signed schemas, thresholds, exports, and deterministic `zastava-kit` bundle published under `docs/modules/zastava`; verification via `kit/verify.sh` and hashes in `SHA256SUMS`. - Sprint tracker `docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.md` and module `TASKS.md` added to mirror status. - Observability runbook stub + dashboard placeholder added under `operations/` (offline import). - Surface.Env/Surface.Secrets adoption remains pending platform contracts; align with platform docs before enabling sealed mode. ## Responsibilities - Observe node/container activity and emit runtime events. - Validate signatures, SBOM presence, and backend verdicts before allowing containers. - Buffer and replay events during disconnections. - Trigger delta scans when runtime posture drifts. ## Key components - `StellaOps.Zastava.Observer` daemonset. - `StellaOps.Zastava.Webhook` admission controller. - Shared contracts in `StellaOps.Zastava.Core`. ## Integrations & dependencies - Authority for OpToks and mTLS. - Scanner/Scheduler for remediation triggers. - Notify/UI for runtime alerts and dashboards. ## Operational notes - Runbook `./operations/observability.md` (stub) plus dashboard placeholder `./operations/dashboards/zastava-observability.json`. - Legacy runtime runbook assets remain under ./operations if present; keep offline kit bundles deterministic. - DPoP/mTLS rotation guidance shared with Authority. ## Related resources - ./operations/runtime.md - ./operations/runtime-grafana-dashboard.json - ./operations/runtime-prometheus-rules.yaml ## Implementation Status ### Current Objectives - Maintain deterministic behaviour and offline parity across releases - Keep documentation, telemetry, and runbooks aligned with latest sprint outcomes - Coordinate with platform contracts before enabling sealed mode ### Core Capabilities - Runtime event observation: node/container activity monitoring - Admission control: signature validation, SBOM presence, backend verdict checks - Disconnection resilience: event buffering and replay during network outages - Delta scan triggering when runtime posture drifts ### Key Components - StellaOps.Zastava.Observer daemonset for runtime monitoring - StellaOps.Zastava.Webhook admission controller for policy enforcement - StellaOps.Zastava.Core shared contracts ### Integration Points - Authority: OpToks and mTLS for secure communication - Scanner/Scheduler: remediation trigger coordination - Notify/UI: runtime alerts and dashboard visualization - Platform contracts: Surface.Env/Surface.Secrets (pending alignment) ### Operational Assets (Sprint 0335 ยท 2025-12-02) - DSSE-signed schemas, thresholds, exports in docs/modules/zastava - Deterministic zastava-kit bundle with verification via kit/verify.sh - SHA256SUMS for bundle integrity validation - Observability runbook: operations/observability.md - Dashboard placeholder: operations/dashboards/zastava-observability.json - Legacy assets: operations/runtime.md, runtime-grafana-dashboard.json, runtime-prometheus-rules.yaml ### Technical Decisions - Deterministic offline kit bundles with signed manifests - DPoP/mTLS rotation guidance shared with Authority - Surface.Env/Surface.Secrets adoption pending platform contract finalization ### Coordination Approach - Review AGENTS.md before starting new work - Sync with cross-cutting teams via docs/implplan/SPRINT_*.md - Track backlog: ZASTAVA runtime tasks in ../../TASKS.md - Webhook smoke tests: src/Zastava/**/TASKS.md - Sprint tracker: docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.md - Module status mirror: docs/modules/zastava/TASKS.md ## Backlog references - ZASTAVA runtime tasks in ../../TASKS.md. - Webhook smoke tests tracked in src/Zastava/**/TASKS.md.