stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
b83aa1aa0b040cb378c02c24a4082c1aa34a68ac
git.stella-ops.org/docs/modules/zastava/gaps/2025-12-02-zr-gaps.md
StellaOps Bot 47168fec38 feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00

51 lines
3.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Zastava Runtime Signals Gaps (ZR1ZR10)
**Source:** `docs/product-advisories/31-Nov-2025 FINDINGS.md`
**Compiled:** 2025-12-02 (UTC)
**Scope:** Close ZR1ZR10 for Observer + Webhook (Surface.Env/Secrets/FS) with offline parity and auditability.
## Gap remediation summary
- **ZR1 · Canonical schemas & hashing**
- Publish signed JSON Schemas for Observer emission and Webhook admission envelopes under `docs/modules/zastava/schemas/`.
- Enforce JCS canonical JSON; compute `sha256` over canonical form; include test vectors.
- Validators reject non-canonical payloads; DSSE required on bundles.
- **ZR2 · Tenant isolation & scope binding**
- Require `tenant_id` and `project_id` on all Observer/Webhook requests; fail closed on missing/ambiguous values.
- Add tenancy annotations to DSSE envelopes and enforce tenancy in admission allowlist.
- Add cross-tenant negative tests.
- **ZR3 · Determinism & time source**
- Use monotonic clock + UTC; standardize ordering: `tenant -> namespace -> workload -> digest`.
- Add multi-run hash CI to ensure stable serialization.
- **ZR4 · Provenance & signer identity**
- Require DSSE envelopes with fields: `sensor_id`, `firmware_version`, `policy_hash`, `graph_revision_id`, `signer_key_id`.
- Reject unsigned/unknown signer; log provenance to CAS.
- **ZR5 · Admission side-effects & escape hatches**
- Side-effect allowlist documented; deny non-listed hooks.
- Bypass/debug require dual approval and DSSE waiver with expiry; log and alert on use.
- **ZR6 · Offline/air-gap parity**
- Provide `zastava-kit` bundle (admissions + observations + schemas + DSSE + hashes) with deterministic tar flags (`--mtime @0 --owner 0 --group 0 --numeric-owner | zstd -19 --long=27`).
- Include `verify.sh` for hash/signature/tenant checks; no network dependencies.
- **ZR7 · Replay/audit linkage**
- Embed `ledger_id` and `replay_manifest` refs in events/admissions; store in CAS.
- Export linkage in offline kit and Evidence Locker.
- **ZR8 · Thresholds, burn-rate & anomaly policy**
- Versioned `thresholds.yaml` with DSSE signatures; change log required.
- Alerts on threshold change; publish budgets (latency, error rate, drop rate).
- **ZR9 · PII/redaction & log hygiene**
- Redaction allowlist + size limits; CI + ingest PII/secret scan.
- Truncate with omission counts; include `redaction_manifest` in DSSE annotations.
- **ZR10 · Health, kill-switch & fallback**
- Fault counter + kill-switch with DSSE-signed disable record.
- Configurable fail-open/closed (default fail-closed for admission); manual re-enable requires DSSE record.
## Artefacts created
- This remediation plan: `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md` (to be cross-linked from sprint 0144 and TASKS).
- Delivery paths for schemas/thresholds/kit will be added when produced; DSSE signatures required for all artefacts.
## Next steps
1) ✅ Schemas + test vectors generated and DSSE-signed under `docs/modules/zastava/schemas/` (2025-12-02).
2) ✅ `thresholds.yaml` DSSE-signed and included in kit (2025-12-02).
3) ✅ Deterministic `zastava-kit` bundle + `verify.sh` built; kit DSSE stored at `docs/modules/zastava/kit/zastava-kit.tzst.dsse` with hashes in `SHA256SUMS` (2025-12-02).
4) Add tenancy/ordering/provenance enforcement to Observer/Webhook validators and tests; mirror changes in sprint and TASKS boards.
5) Upload DSSE artefacts + kit to Evidence Locker paths in `docs/modules/zastava/evidence/README.md` and backfill operations docs with verifier usage.
Reference in New Issue View Git Blame Copy Permalink