30 lines
2.2 KiB
Markdown
30 lines
2.2 KiB
Markdown
# Zastava Verdict Hashing and Security
|
|
|
|
## Module
|
|
Zastava
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Deterministic verdict hashing for Zastava decisions with security-hardened serialization, supporting DSSE-signed observer and admission schemas and zastava-kit bundle verification.
|
|
|
|
## Implementation Details
|
|
- **ZastavaHashing**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Hashing/ZastavaHashing.cs` -- deterministic hashing for verdict decisions
|
|
- **ZastavaCanonicalJsonSerializer**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Serialization/ZastavaCanonicalJsonSerializer.cs` -- RFC 8785 canonical JSON serialization for deterministic hashing
|
|
- **IZastavaAuthorityTokenProvider**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/IZastavaAuthorityTokenProvider.cs` -- authority token provider interface
|
|
- **ZastavaAuthorityTokenProvider**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaAuthorityTokenProvider.cs` -- OIDC-based token provider for authenticated backend communication
|
|
- **ZastavaOperationalToken**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaOperationalToken.cs` -- operational token model
|
|
- **AuthorityTokenProvider**: `src/Zastava/StellaOps.Zastava.Webhook/Authority/AuthorityTokenProvider.cs` -- webhook-specific token provider
|
|
- **OfflineStrictModeHandler**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Http/OfflineStrictModeHandler.cs` -- HTTP handler enforcing offline/air-gap mode restrictions
|
|
- **ZastavaRuntimeMetrics**: `src/Zastava/__Libraries/StellaOps.Zastava.Core/Diagnostics/ZastavaRuntimeMetrics.cs` -- metrics for security operations
|
|
- **Tests**: `src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Security/ZastavaAuthorityTokenProviderTests.cs`, `Serialization/ZastavaCanonicalJsonSerializerTests.cs`, `Validation/OfflineStrictModeTests.cs`
|
|
- **Source**: SPRINT_0144_0001_0001_zastava_runtime_signals.md
|
|
|
|
## E2E Test Plan
|
|
- [ ] Verify deterministic hashing produces identical hashes for equivalent verdicts
|
|
- [ ] Test canonical JSON serialization follows RFC 8785 for reproducible output
|
|
- [ ] Verify authority token provider obtains and refreshes OIDC tokens
|
|
- [ ] Test offline strict mode blocks external HTTP calls in air-gapped deployments
|
|
- [ ] Verify verdict hash chain integrity across observer restarts
|