master
7b5bdcf4d3
- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes. - Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes. - Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables. - Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.
1.2 KiB
1.2 KiB
StellaOps Zastava
Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks.
Responsibilities
- Observe node/container activity and emit runtime events.
- Validate signatures, SBOM presence, and backend verdicts before allowing containers.
- Buffer and replay events during disconnections.
- Trigger delta scans when runtime posture drifts.
Key components
StellaOps.Zastava.Observerdaemonset.StellaOps.Zastava.Webhookadmission controller.- Shared contracts in
StellaOps.Zastava.Core.
Integrations & dependencies
- Authority for OpToks and mTLS.
- Scanner/Scheduler for remediation triggers.
- Notify/UI for runtime alerts and dashboards.
Operational notes
- Runbook ./operations/runtime.md with Grafana/Prometheus assets.
- Offline kit assets bundling webhook charts.
- DPoP/mTLS rotation guidance shared with Authority.
Related resources
- ./operations/runtime.md
- ./operations/runtime-grafana-dashboard.json
- ./operations/runtime-prometheus-rules.yaml
Backlog references
- ZASTAVA runtime tasks in ../../TASKS.md.
- Webhook smoke tests tracked in src/Zastava/**/TASKS.md.