2.2 KiB
2.2 KiB
Zastava Verdict Hashing and Security
Module
Zastava
Status
IMPLEMENTED
Description
Deterministic verdict hashing for Zastava decisions with security-hardened serialization, supporting DSSE-signed observer and admission schemas and zastava-kit bundle verification.
Implementation Details
- ZastavaHashing:
src/Zastava/__Libraries/StellaOps.Zastava.Core/Hashing/ZastavaHashing.cs-- deterministic hashing for verdict decisions - ZastavaCanonicalJsonSerializer:
src/Zastava/__Libraries/StellaOps.Zastava.Core/Serialization/ZastavaCanonicalJsonSerializer.cs-- RFC 8785 canonical JSON serialization for deterministic hashing - IZastavaAuthorityTokenProvider:
src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/IZastavaAuthorityTokenProvider.cs-- authority token provider interface - ZastavaAuthorityTokenProvider:
src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaAuthorityTokenProvider.cs-- OIDC-based token provider for authenticated backend communication - ZastavaOperationalToken:
src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaOperationalToken.cs-- operational token model - AuthorityTokenProvider:
src/Zastava/StellaOps.Zastava.Webhook/Authority/AuthorityTokenProvider.cs-- webhook-specific token provider - OfflineStrictModeHandler:
src/Zastava/__Libraries/StellaOps.Zastava.Core/Http/OfflineStrictModeHandler.cs-- HTTP handler enforcing offline/air-gap mode restrictions - ZastavaRuntimeMetrics:
src/Zastava/__Libraries/StellaOps.Zastava.Core/Diagnostics/ZastavaRuntimeMetrics.cs-- metrics for security operations - Tests:
src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Security/ZastavaAuthorityTokenProviderTests.cs,Serialization/ZastavaCanonicalJsonSerializerTests.cs,Validation/OfflineStrictModeTests.cs - Source: SPRINT_0144_0001_0001_zastava_runtime_signals.md
E2E Test Plan
- Verify deterministic hashing produces identical hashes for equivalent verdicts
- Test canonical JSON serialization follows RFC 8785 for reproducible output
- Verify authority token provider obtains and refreshes OIDC tokens
- Test offline strict mode blocks external HTTP calls in air-gapped deployments
- Verify verdict hash chain integrity across observer restarts