stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
2e70c9fdb62455d532a80130fc2b2e5cf6f58ff2
git.stella-ops.org/docs/modules/zastava/gaps/2025-12-02-zr-gaps.md
StellaOps Bot 47168fec38 feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00

3.5 KiB
Raw Blame History

Zastava Runtime Signals Gaps (ZR1ZR10)

Source: docs/product-advisories/31-Nov-2025 FINDINGS.md Compiled: 2025-12-02 (UTC) Scope: Close ZR1ZR10 for Observer + Webhook (Surface.Env/Secrets/FS) with offline parity and auditability.

Gap remediation summary

  • ZR1 · Canonical schemas & hashing
    • Publish signed JSON Schemas for Observer emission and Webhook admission envelopes under docs/modules/zastava/schemas/.
    • Enforce JCS canonical JSON; compute sha256 over canonical form; include test vectors.
    • Validators reject non-canonical payloads; DSSE required on bundles.
  • ZR2 · Tenant isolation & scope binding
    • Require tenant_id and project_id on all Observer/Webhook requests; fail closed on missing/ambiguous values.
    • Add tenancy annotations to DSSE envelopes and enforce tenancy in admission allowlist.
    • Add cross-tenant negative tests.
  • ZR3 · Determinism & time source
    • Use monotonic clock + UTC; standardize ordering: tenant -> namespace -> workload -> digest.
    • Add multi-run hash CI to ensure stable serialization.
  • ZR4 · Provenance & signer identity
    • Require DSSE envelopes with fields: sensor_id, firmware_version, policy_hash, graph_revision_id, signer_key_id.
    • Reject unsigned/unknown signer; log provenance to CAS.
  • ZR5 · Admission side-effects & escape hatches
    • Side-effect allowlist documented; deny non-listed hooks.
    • Bypass/debug require dual approval and DSSE waiver with expiry; log and alert on use.
  • ZR6 · Offline/air-gap parity
    • Provide zastava-kit bundle (admissions + observations + schemas + DSSE + hashes) with deterministic tar flags (--mtime @0 --owner 0 --group 0 --numeric-owner | zstd -19 --long=27).
    • Include verify.sh for hash/signature/tenant checks; no network dependencies.
  • ZR7 · Replay/audit linkage
    • Embed ledger_id and replay_manifest refs in events/admissions; store in CAS.
    • Export linkage in offline kit and Evidence Locker.
  • ZR8 · Thresholds, burn-rate & anomaly policy
    • Versioned thresholds.yaml with DSSE signatures; change log required.
    • Alerts on threshold change; publish budgets (latency, error rate, drop rate).
  • ZR9 · PII/redaction & log hygiene
    • Redaction allowlist + size limits; CI + ingest PII/secret scan.
    • Truncate with omission counts; include redaction_manifest in DSSE annotations.
  • ZR10 · Health, kill-switch & fallback
    • Fault counter + kill-switch with DSSE-signed disable record.
    • Configurable fail-open/closed (default fail-closed for admission); manual re-enable requires DSSE record.

Artefacts created

  • This remediation plan: docs/modules/zastava/gaps/2025-12-02-zr-gaps.md (to be cross-linked from sprint 0144 and TASKS).
  • Delivery paths for schemas/thresholds/kit will be added when produced; DSSE signatures required for all artefacts.

Next steps

  1. Schemas + test vectors generated and DSSE-signed under docs/modules/zastava/schemas/ (2025-12-02).
  2. thresholds.yaml DSSE-signed and included in kit (2025-12-02).
  3. Deterministic zastava-kit bundle + verify.sh built; kit DSSE stored at docs/modules/zastava/kit/zastava-kit.tzst.dsse with hashes in SHA256SUMS (2025-12-02).
  4. Add tenancy/ordering/provenance enforcement to Observer/Webhook validators and tests; mirror changes in sprint and TASKS boards.
  5. Upload DSSE artefacts + kit to Evidence Locker paths in docs/modules/zastava/evidence/README.md and backfill operations docs with verifier usage.