StellaOps Zastava
Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks.
Latest updates (2025-12-02)
- DSSE-signed schemas, thresholds, exports, and deterministic
zastava-kitbundle published underdocs/modules/zastava; verification viakit/verify.shand hashes inSHA256SUMS. - Sprint tracker
docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.mdand moduleTASKS.mdadded to mirror status. - Observability runbook stub + dashboard placeholder added under
operations/(offline import). - Surface.Env/Surface.Secrets adoption remains pending platform contracts; align with platform docs before enabling sealed mode.
Responsibilities
- Observe node/container activity and emit runtime events.
- Validate signatures, SBOM presence, and backend verdicts before allowing containers.
- Buffer and replay events during disconnections.
- Trigger delta scans when runtime posture drifts.
Key components
StellaOps.Zastava.Observerdaemonset.StellaOps.Zastava.Webhookadmission controller.- Shared contracts in
StellaOps.Zastava.Core.
Integrations & dependencies
- Authority for OpToks and mTLS.
- Scanner/Scheduler for remediation triggers.
- Notify/UI for runtime alerts and dashboards.
Operational notes
- Runbook
./operations/observability.md(stub) plus dashboard placeholder./operations/dashboards/zastava-observability.json. - Legacy runtime runbook assets remain under ./operations if present; keep offline kit bundles deterministic.
- DPoP/mTLS rotation guidance shared with Authority.
Related resources
- ./operations/runtime.md
- ./operations/runtime-grafana-dashboard.json
- ./operations/runtime-prometheus-rules.yaml
Implementation Status
Current Objectives
- Maintain deterministic behaviour and offline parity across releases
- Keep documentation, telemetry, and runbooks aligned with latest sprint outcomes
- Coordinate with platform contracts before enabling sealed mode
Core Capabilities
- Runtime event observation: node/container activity monitoring
- Admission control: signature validation, SBOM presence, backend verdict checks
- Disconnection resilience: event buffering and replay during network outages
- Delta scan triggering when runtime posture drifts
Key Components
- StellaOps.Zastava.Observer daemonset for runtime monitoring
- StellaOps.Zastava.Webhook admission controller for policy enforcement
- StellaOps.Zastava.Core shared contracts
Integration Points
- Authority: OpToks and mTLS for secure communication
- Scanner/Scheduler: remediation trigger coordination
- Notify/UI: runtime alerts and dashboard visualization
- Platform contracts: Surface.Env/Surface.Secrets (pending alignment)
Operational Assets (Sprint 0335 · 2025-12-02)
- DSSE-signed schemas, thresholds, exports in docs/modules/zastava
- Deterministic zastava-kit bundle with verification via kit/verify.sh
- SHA256SUMS for bundle integrity validation
- Observability runbook: operations/observability.md
- Dashboard placeholder: operations/dashboards/zastava-observability.json
- Legacy assets: operations/runtime.md, runtime-grafana-dashboard.json, runtime-prometheus-rules.yaml
Technical Decisions
- Deterministic offline kit bundles with signed manifests
- DPoP/mTLS rotation guidance shared with Authority
- Surface.Env/Surface.Secrets adoption pending platform contract finalization
Coordination Approach
- Review AGENTS.md before starting new work
- Sync with cross-cutting teams via docs/implplan/SPRINT_*.md
- Track backlog: ZASTAVA runtime tasks in ../../TASKS.md
- Webhook smoke tests: src/Zastava/**/TASKS.md
- Sprint tracker: docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.md
- Module status mirror: docs/modules/zastava/TASKS.md
Backlog references
- ZASTAVA runtime tasks in ../../TASKS.md.
- Webhook smoke tests tracked in src/Zastava/**/TASKS.md.