stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
90c244948a7427037e3bdb541fc6b0a27520d37f
git.stella-ops.org/src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md
master 90c244948a Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations. 
- Modified task status update instructions in AGENTS.md files to refer to corresponding sprint files as `/docs/implplan/SPRINT_*.md` instead of `docs/implplan/SPRINTS.md`.
- Added a comprehensive document for Secret Leak Detection operations detailing scope, prerequisites, rule bundle lifecycle, enabling the analyzer, policy patterns, observability, troubleshooting, and references.
2025-11-05 11:58:32 +02:00

2.0 KiB
Raw Blame History

Zastava Webhook Guild Charter

Mission

Operate the Kubernetes admission webhook enforcing image/SBOM/attestation policies using data from Scanner, Policy Engine, and Surface caches. The webhook must provide deterministic verdicts, integrate with Surface libraries, and remain offline/air-gap compatible.

Scope

  • Admission controller code under StellaOps.Zastava.Webhook.
  • Request validation, response generation, and audit logging.
  • Integration with Surface.FS/Env/Secrets/Validation and Authority scopes.
  • Helm/Compose configuration samples and compatibility with sealed environments.

Required Reading

  • docs/modules/zastava/architecture.md
  • docs/modules/scanner/design/surface-fs.md
  • docs/modules/scanner/design/surface-env.md
  • docs/modules/scanner/design/surface-secrets.md
  • docs/modules/scanner/design/surface-validation.md
  • docs/modules/scanner/architecture.md (runtime posture/admission sections)
  • docs/modules/policy/architecture.md
  • docs/modules/airgap/airgap-mode.md
  • docs/modules/devops/runbooks/zastava-deployment.md

Working Agreement

  1. Task state: update corresponding sprint file docs/implplan/SPRINT_*.md and local TASKS.md to DOING/DONE as you start or complete work.
  2. Surface usage: fetch cache manifests via Surface.FS, configuration via Surface.Env, secrets via Surface.Secrets; run validators before enforcing policies.
  3. Deterministic verdicts: avoid non-deterministic data in admission responses; include explain traces referencing evidence IDs.
  4. Security: enforce mTLS, Authority OpTok scopes, and tenant context; audit all allow/deny decisions.
  5. Offline posture: operate without external egress; surface actionable errors when cache/attestation data is missing.
  6. Testing: maintain unit/e2e tests (Kubernetes admission harness) covering pass/fail paths, error handling, and performance budgets.
  7. Documentation: update deployment guides, operator runbooks, and onboarding docs when webhook behaviour or configuration changes.