22 lines
1.4 KiB
Markdown
22 lines
1.4 KiB
Markdown
# Zastava Wave Prep — PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS
|
|
|
|
Status: **Ready for implementation** (2025-11-20)
|
|
Owners: Zastava Observer/Webhook Guilds · Surface Guild
|
|
Scope: Document Surface.FS cache drop plan and Surface.Env helper ownership/unseal steps to unblock Zastava runtime work.
|
|
|
|
## Decisions captured
|
|
- Surface.FS cache drop cadence: daily at 02:00 UTC with retention of last 3 snapshots; manual invalidate via `/admin/cache/drop` with DSSE auth.
|
|
- Surface.Env helper ownership: Surface Guild maintains helper; Zastava consumers read via sealed secret `SURFACE_ENV_CONFIG` injected per-tenant.
|
|
- Secrets rotation: quarterly or on incident; DSSE-signed env bundle stored in sealed S3 bucket `surface-env-bundles/tenant/{id}`.
|
|
|
|
## Deliverables for implementation teams
|
|
- Publish cache drop runbook under `docs/modules/zastava/runbooks/surface-fs-cache-drop.md` (owner Surface Guild).
|
|
- Publish env helper schema & sample at `docs/modules/zastava/surface-env-helper.sample.yaml` with hash file.
|
|
- Add checklist to Zastava admission hooks to verify `SURFACE_ENV_CONFIG` exists and DSSE signature matches Surface root.
|
|
|
|
## Acceptance criteria
|
|
- Written runbook + sample helper schema available at the paths above.
|
|
- Cache drop schedule and manual invalidate command documented with DSSE requirement.
|
|
- Zastava tasks can consume helper without requiring further schema decisions.
|
|
|