feat: Initialize Zastava Webhook service with TLS and Authority authentication

- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint.
- Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately.
- Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly.
- Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.

docs/EXCITITOR_SCORRING.md

@@ -23,6 +23,27 @@ Safeguards: freeze boosts when product identity is unknown, clamp outputs ≥0,
 | **Phase 2 – Deterministic score engine** | Implement a scoring component that executes alongside consensus and persists score envelopes with hashes. | Planned task `EXCITITOR-CORE-02-002` (backlog). |
 | **Phase 3 – Surfacing & enforcement** | Expose scores via WebService/CLI, integrate with Concelier noise priors, and enforce policy-based suppressions. | To be scheduled after Phase 2. |
 
+## Policy controls (Phase 1)
+
+Operators tune scoring inputs through the Excititor policy document:
+
+```yaml
+excititor:
+  policy:
+    weights:
+      vendor: 1.10      # per-tier weight
+      ceiling: 1.40     # max clamp applied to tiers and overrides (1.0‒5.0)
+    providerOverrides:
+      trusted.vendor: 1.35
+    scoring:
+      alpha: 0.30       # KEV boost coefficient (defaults to 0.25)
+      beta: 0.60        # EPSS boost coefficient (defaults to 0.50)
+```
+
+* All weights (tiers + overrides) are clamped to `[0, weights.ceiling]` with structured warnings when a value is out of range or not a finite number.
+* `weights.ceiling` itself is constrained to `[1.0, 5.0]`, preserving prior behaviour when omitted.
+* `scoring.alpha` / `scoring.beta` accept non-negative values up to 5.0; values outside the range fall back to defaults and surface diagnostics to operators.
+
 ## Data model (after Phase 1)
 
 ```json