master
66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
StellaOps Zastava
Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks.
Responsibilities
- Observe node/container activity and emit runtime events.
- Validate signatures, SBOM presence, and backend verdicts before allowing containers.
- Buffer and replay events during disconnections.
- Trigger delta scans when runtime posture drifts.
Key components
StellaOps.Zastava.Observerdaemonset.StellaOps.Zastava.Webhookadmission controller.- Shared contracts in
StellaOps.Zastava.Core.
Integrations & dependencies
- Authority for OpToks and mTLS.
- Scanner/Scheduler for remediation triggers.
- Notify/UI for runtime alerts and dashboards.
Operational notes
- Runbook ./operations/runtime.md with Grafana/Prometheus assets.
- Offline kit assets bundling webhook charts.
- DPoP/mTLS rotation guidance shared with Authority.
Related resources
- ./operations/runtime.md
- ./operations/runtime-grafana-dashboard.json
- ./operations/runtime-prometheus-rules.yaml
Backlog references
- ZASTAVA runtime tasks in ../../TASKS.md.
- Webhook smoke tests tracked in src/Zastava/**/TASKS.md.