stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/zastava/README.md
StellaOps Bot 47168fec38 feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00

1.9 KiB
Raw Blame History

StellaOps Zastava

Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks.

Latest updates (2025-12-02)

  • DSSE-signed schemas, thresholds, exports, and deterministic zastava-kit bundle published under docs/modules/zastava; verification via kit/verify.sh and hashes in SHA256SUMS.
  • Sprint tracker docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.md and module TASKS.md added to mirror status.
  • Observability runbook stub + dashboard placeholder added under operations/ (offline import).
  • Surface.Env/Surface.Secrets adoption remains pending platform contracts; align with platform docs before enabling sealed mode.

Responsibilities

  • Observe node/container activity and emit runtime events.
  • Validate signatures, SBOM presence, and backend verdicts before allowing containers.
  • Buffer and replay events during disconnections.
  • Trigger delta scans when runtime posture drifts.

Key components

  • StellaOps.Zastava.Observer daemonset.
  • StellaOps.Zastava.Webhook admission controller.
  • Shared contracts in StellaOps.Zastava.Core.

Integrations & dependencies

  • Authority for OpToks and mTLS.
  • Scanner/Scheduler for remediation triggers.
  • Notify/UI for runtime alerts and dashboards.

Operational notes

  • Runbook ./operations/observability.md (stub) plus dashboard placeholder ./operations/dashboards/zastava-observability.json.
  • Legacy runtime runbook assets remain under ./operations if present; keep offline kit bundles deterministic.
  • DPoP/mTLS rotation guidance shared with Authority.

Related resources

  • ./operations/runtime.md
  • ./operations/runtime-grafana-dashboard.json
  • ./operations/runtime-prometheus-rules.yaml

Backlog references

  • ZASTAVA runtime tasks in ../../TASKS.md.
  • Webhook smoke tests tracked in src/Zastava/**/TASKS.md.