stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/zastava/evidence
History
StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00
..
README.md
feat: add PolicyPackSelectorComponent with tests and integration
2025-12-05 21:24:34 +02:00

README.md

Zastava Evidence Locker (schemas/kit)

Signed 2025-12-02 with Ed25519 key (pub base64url: mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc). Private key stored offline; all signatures use DSSEv1 pre-auth encoding. Public key copy: docs/modules/zastava/kit/ed25519.pub.

Artefacts

  • schemas/observer_event.schema.json.dsse (payloadType application/vnd.stellaops.zastava.schema+json;name=observer_event;version=1)
  • schemas/webhook_admission.schema.json.dsse (payloadType application/vnd.stellaops.zastava.schema+json;name=webhook_admission;version=1)
  • thresholds.yaml.dsse (payloadType application/vnd.stellaops.zastava.thresholds+yaml;version=1)
  • exports/observer_events.ndjson.dsse (payloadType application/vnd.stellaops.zastava.observer-events+ndjson;version=1)
  • exports/webhook_admissions.ndjson.dsse (payloadType application/vnd.stellaops.zastava.webhook-admissions+ndjson;version=1)
  • kit/zastava-kit.tzst.dsse (payloadType application/vnd.stellaops.zastava.kit+tzst;version=1)

Evidence Locker targets

  • evidence-locker/zastava/2025-12-02/observer_event.schema.json.dsse
  • evidence-locker/zastava/2025-12-02/webhook_admission.schema.json.dsse
  • evidence-locker/zastava/2025-12-02/thresholds.yaml.dsse
  • evidence-locker/zastava/2025-12-02/observer_events.ndjson.dsse
  • evidence-locker/zastava/2025-12-02/webhook_admissions.ndjson.dsse
  • evidence-locker/zastava/2025-12-02/zastava-kit.tzst
  • evidence-locker/zastava/2025-12-02/zastava-kit.tzst.dsse
  • evidence-locker/zastava/2025-12-02/SHA256SUMS

Local staging: all files above are present under evidence-locker/zastava/2025-12-02/ in the repo root, ready for locker upload/mirroring.

Deterministic tarball (built with tar --sort=name --mtime='UTC 1970-01-01' --owner=0 --group=0 --numeric-owner over payloads + DSSE):

evidence-locker/zastava/2025-12-02/zastava-evidence.tar  sha256=e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9c62b8a1b735ae

Verification helper (uses the hash above and inner SHA256SUMS):

./tools/zastava-verify-evidence-tar.sh [path/to/zastava-evidence.tar]

Upload (once locker creds exist):

export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/upload-all-evidence.sh   # pushes both Zastava and Signals bundles

Helper script for manual push (expects EVIDENCE_LOCKER_URL and CI_EVIDENCE_LOCKER_TOKEN):

tools/zastava-upload-evidence.sh

Packaging is deterministic (tar --sort=name --mtime='UTC 1970-01-01' --owner=0 --group=0 --numeric-owner) and prints the tarball SHA256 before upload. Ensure kit/verify.sh passes before pushing.

CI delivery note

  • Locker upload in CI requires a write credential (e.g., CI_EVIDENCE_LOCKER_TOKEN) with access to the evidence-locker/zastava/ namespace.
  • If the secret is absent, perform a manual upload from the staged folder and record the locker URI in the sprint log.

Signing template (Python, ed25519)

python - <<'PY'
from pathlib import Path
from base64 import urlsafe_b64encode
import json
from cryptography.hazmat.primitives.asymmetric import ed25519
from cryptography.hazmat.primitives import serialization

priv = serialization.load_pem_private_key(Path('/tmp/zastava-ed25519.key').read_bytes(), password=None)
pub = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw)
keyid = urlsafe_b64encode(pub).decode().rstrip('=')
pt = '<payload-type>'
payload = Path('<file-to-sign>').read_bytes()
pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt.encode(), str(len(payload)).encode(), payload])
sig = priv.sign(pae)
env = {
    'payloadType': pt,
    'payload': urlsafe_b64encode(payload).decode().rstrip('='),
    'signatures': [{'keyid': keyid, 'sig': urlsafe_b64encode(sig).decode().rstrip('=')}],
}
Path('<file-to-sign>.dsse').write_text(json.dumps(env, indent=2, sort_keys=True) + '\n')
print('signed', '<file-to-sign>', 'with keyid', keyid)
PY

Post-sign checklist

  1. Run kit/verify.sh to validate hashes + DSSE.
  2. Upload artefacts + DSSEs + SHA256SUMS to the Evidence Locker paths above.
  3. Record URIs in sprint 0144 Decisions & Risks and mark ZASTAVA-SCHEMAS-0001 / ZASTAVA-THRESHOLDS-0001 / ZASTAVA-KIT-0001 as DONE.