git.stella-ops.org/src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md

Zastava Webhook Guild Charter

Mission

Operate the Kubernetes admission webhook enforcing image/SBOM/attestation policies using data from Scanner, Policy Engine, and Surface caches. The webhook must provide deterministic verdicts, integrate with Surface libraries, and remain offline/air-gap compatible.

Scope

• Admission controller code under StellaOps.Zastava.Webhook.
• Request validation, response generation, and audit logging.
• Integration with Surface.FS/Env/Secrets/Validation and Authority scopes.
• Helm/Compose configuration samples and compatibility with sealed environments.

Required Reading

• docs/modules/zastava/architecture.md
• docs/modules/scanner/design/surface-fs.md
• docs/modules/scanner/design/surface-env.md
• docs/modules/scanner/design/surface-secrets.md
• docs/modules/scanner/design/surface-validation.md
• docs/modules/scanner/architecture.md (runtime posture/admission sections)
• docs/modules/policy/architecture.md
• docs/modules/airgap/airgap-mode.md
• docs/modules/devops/runbooks/zastava-deployment.md

Working Agreement

1. Task state: update corresponding sprint file docs/implplan/SPRINT_*.md to DOING/DONE as you start or complete work.
2. Surface usage: fetch cache manifests via Surface.FS, configuration via Surface.Env, secrets via Surface.Secrets; run validators before enforcing policies.
3. Deterministic verdicts: avoid non-deterministic data in admission responses; include explain traces referencing evidence IDs.
4. Security: enforce mTLS, Authority OpTok scopes, and tenant context; audit all allow/deny decisions.
5. Offline posture: operate without external egress; surface actionable errors when cache/attestation data is missing.
6. Testing: maintain unit/e2e tests (Kubernetes admission harness) covering pass/fail paths, error handling, and performance budgets.
7. Documentation: update deployment guides, operator runbooks, and onboarding docs when webhook behaviour or configuration changes.