git.stella-ops.org/docs/modules/zastava/kit/README.md

# Zastava Kit (offline bundle) – Draft

Contents to include when built:
- Observations and admissions exports (NDJSON) signed via DSSE.
- Schemas: `schemas/observer_event.schema.json`, `schemas/webhook_admission.schema.json`.
- Thresholds: `thresholds.yaml` (DSSE-signed).
- Hash manifest: `SHA256SUMS` (covering all kit files).
- Verify script: `verify.sh` (hash + DSSE verification; fail closed on mismatch).

Deterministic packaging: `tar --mtime @0 --owner 0 --group 0 --numeric-owner -cf - kit | zstd -19 --long=27 --no-progress > zastava-kit.tzst`.

Pending: fill with signed artefacts and Evidence Locker URIs after DSSE signing.
Planned Evidence Locker paths (post-signing):
- `evidence-locker/zastava/2025-12-06/observer_event.schema.dsse`
- `evidence-locker/zastava/2025-12-06/webhook_admission.schema.dsse`
- `evidence-locker/zastava/2025-12-06/thresholds.dsse`
- `evidence-locker/zastava/2025-12-06/zastava-kit.tzst` + `SHA256SUMS`