git.stella-ops.org/docs/modules/zastava

StellaOps Zastava

Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks.

Latest updates (2025-12-02)

• DSSE-signed schemas, thresholds, exports, and deterministic zastava-kit bundle published under docs/modules/zastava; verification via kit/verify.sh and hashes in SHA256SUMS.
• Sprint tracker docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.md and module TASKS.md added to mirror status.
• Observability runbook stub + dashboard placeholder added under operations/ (offline import).
• Surface.Env/Surface.Secrets adoption remains pending platform contracts; align with platform docs before enabling sealed mode.

Responsibilities

• Observe node/container activity and emit runtime events.
• Validate signatures, SBOM presence, and backend verdicts before allowing containers.
• Buffer and replay events during disconnections.
• Trigger delta scans when runtime posture drifts.

Key components

• StellaOps.Zastava.Observer daemonset.
• StellaOps.Zastava.Webhook admission controller.
• Shared contracts in StellaOps.Zastava.Core.

Integrations & dependencies

• Authority for OpToks and mTLS.
• Scanner/Scheduler for remediation triggers.
• Notify/UI for runtime alerts and dashboards.

Operational notes

• Runbook ./operations/observability.md (stub) plus dashboard placeholder ./operations/dashboards/zastava-observability.json.
• Legacy runtime runbook assets remain under ./operations if present; keep offline kit bundles deterministic.
• DPoP/mTLS rotation guidance shared with Authority.

Related resources

• ./operations/runtime.md
• ./operations/runtime-grafana-dashboard.json
• ./operations/runtime-prometheus-rules.yaml

Backlog references

• ZASTAVA runtime tasks in ../../TASKS.md.
• Webhook smoke tests tracked in src/Zastava/**/TASKS.md.