stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
acbb0ff637e49804eb39d6bcac87f2a7d29848c0
git.stella-ops.org/docs/modules/zastava/gaps/2025-12-02-zr-gaps.md
StellaOps Bot 885ce86af4
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
feat: Add VEX Lens CI and Load Testing Plan 
- Introduced a comprehensive CI job structure for VEX Lens, including build, test, linting, and load testing.
- Defined load test parameters and SLOs for VEX Lens API and Issuer Directory.
- Created Grafana dashboards and alerting mechanisms for monitoring API performance and error rates.
- Established offline posture guidelines for CI jobs and load testing.

feat: Implement deterministic projection verification script

- Added `verify_projection.sh` script for verifying the integrity of projection exports against expected hashes.
- Ensured robust error handling for missing files and hash mismatches.

feat: Develop Vuln Explorer CI and Ops Plan

- Created CI jobs for Vuln Explorer, including build, test, and replay verification.
- Implemented backup and disaster recovery strategies for MongoDB and Redis.
- Established Merkle anchoring verification and automation for ledger projector.

feat: Introduce EventEnvelopeHasher for hashing event envelopes

- Implemented `EventEnvelopeHasher` to compute SHA256 hashes for event envelopes.

feat: Add Risk Store and Dashboard components

- Developed `RiskStore` for managing risk data and state.
- Created `RiskDashboardComponent` for displaying risk profiles with filtering capabilities.
- Implemented unit tests for `RiskStore` and `RiskDashboardComponent`.

feat: Enhance Vulnerability Detail Component

- Developed `VulnerabilityDetailComponent` for displaying detailed information about vulnerabilities.
- Implemented error handling for missing vulnerability IDs and loading failures.
2025-12-02 07:18:28 +02:00

50 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Zastava Runtime Signals Gaps (ZR1ZR10)
**Source:** `docs/product-advisories/31-Nov-2025 FINDINGS.md`
**Compiled:** 2025-12-02 (UTC)
**Scope:** Close ZR1ZR10 for Observer + Webhook (Surface.Env/Secrets/FS) with offline parity and auditability.
## Gap remediation summary
- **ZR1 · Canonical schemas & hashing**
- Publish signed JSON Schemas for Observer emission and Webhook admission envelopes under `docs/modules/zastava/schemas/`.
- Enforce JCS canonical JSON; compute `sha256` over canonical form; include test vectors.
- Validators reject non-canonical payloads; DSSE required on bundles.
- **ZR2 · Tenant isolation & scope binding**
- Require `tenant_id` and `project_id` on all Observer/Webhook requests; fail closed on missing/ambiguous values.
- Add tenancy annotations to DSSE envelopes and enforce tenancy in admission allowlist.
- Add cross-tenant negative tests.
- **ZR3 · Determinism & time source**
- Use monotonic clock + UTC; standardize ordering: `tenant -> namespace -> workload -> digest`.
- Add multi-run hash CI to ensure stable serialization.
- **ZR4 · Provenance & signer identity**
- Require DSSE envelopes with fields: `sensor_id`, `firmware_version`, `policy_hash`, `graph_revision_id`, `signer_key_id`.
- Reject unsigned/unknown signer; log provenance to CAS.
- **ZR5 · Admission side-effects & escape hatches**
- Side-effect allowlist documented; deny non-listed hooks.
- Bypass/debug require dual approval and DSSE waiver with expiry; log and alert on use.
- **ZR6 · Offline/air-gap parity**
- Provide `zastava-kit` bundle (admissions + observations + schemas + DSSE + hashes) with deterministic tar flags (`--mtime @0 --owner 0 --group 0 --numeric-owner | zstd -19 --long=27`).
- Include `verify.sh` for hash/signature/tenant checks; no network dependencies.
- **ZR7 · Replay/audit linkage**
- Embed `ledger_id` and `replay_manifest` refs in events/admissions; store in CAS.
- Export linkage in offline kit and Evidence Locker.
- **ZR8 · Thresholds, burn-rate & anomaly policy**
- Versioned `thresholds.yaml` with DSSE signatures; change log required.
- Alerts on threshold change; publish budgets (latency, error rate, drop rate).
- **ZR9 · PII/redaction & log hygiene**
- Redaction allowlist + size limits; CI + ingest PII/secret scan.
- Truncate with omission counts; include `redaction_manifest` in DSSE annotations.
- **ZR10 · Health, kill-switch & fallback**
- Fault counter + kill-switch with DSSE-signed disable record.
- Configurable fail-open/closed (default fail-closed for admission); manual re-enable requires DSSE record.
## Artefacts created
- This remediation plan: `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md` (to be cross-linked from sprint 0144 and TASKS).
- Delivery paths for schemas/thresholds/kit will be added when produced; DSSE signatures required for all artefacts.
## Next steps
1) Generate schemas + test vectors and place under `docs/modules/zastava/schemas/`; sign DSSE.
2) Draft `thresholds.yaml` with budgets and sign DSSE.
3) Build `zastava-kit` bundle + `verify.sh`; include Evidence Locker path and SHA256.
4) Add tenancy/ordering/provenance enforcement to Observer/Webhook validators and tests; mirror changes in sprint and TASKS boards.
Reference in New Issue View Git Blame Copy Permalink