feat: Initialize Zastava Webhook service with TLS and Authority authentication

- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint.
- Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately.
- Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly.
- Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.

docs/updates/2025-10-19-docs-guild.md

@@ -0,0 +1,12 @@
+# Docs Guild Update — 2025-10-19
+
+**Subject:** Event envelope reference & canonical samples
+**Audience:** Docs Guild, Platform Events, Runtime Guild
+
+- Extended `docs/events/README.md` with envelope field tables, offline validation commands, and guidance for optional payload fields.
+- Added canonical sample payloads under `docs/events/samples/` for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1`; validated them with `ajv-cli` to match the published schemas.
+- Documented the validation loop so air-gapped operators can mirror the CI checks before rolling new event versions.
+
+Next steps:
+- Platform Events to embed the canonical samples into their contract tests.
+- Runtime Guild checklist for quieted finding counts & progress hints published in `docs/runtime/SCANNER_RUNTIME_READINESS.md`; gather stakeholder sign-off.

docs/updates/2025-10-19-platform-events.md

@@ -0,0 +1,10 @@
+# Platform Events Update — 2025-10-19
+
+**Subject:** Canonical event samples enforced across tests & CI  
+**Audience:** Platform Events Guild, Notify Guild, Scheduler Guild, Docs Guild
+
+- Scanner WebService contract tests deserialize `scanner.report.ready@1` and `scanner.scan.completed@1` samples, validating DSSE payloads and canonical ordering via `NotifyCanonicalJsonSerializer`.
+- Notify and Scheduler model suites now round-trip the published event samples (including `attestor.logged@1` and `scheduler.rescan.delta@1`) to catch drift in consumer expectations.
+- Docs CI (`.gitea/workflows/docs.yml`) validates every sample against its schema with `ajv-cli`, keeping offline bundles and repositories aligned.
+
+No additional follow-ups — downstream teams can rely on the committed samples for integration coverage.

docs/updates/2025-10-19-scanner-policy.md

@@ -0,0 +1,5 @@
+# 2025-10-19 – Scanner ↔ Policy Sync
+
+- Scanner WebService now emits `scanner.report.ready` and `scanner.scan.completed` via Redis Streams when `scanner.events.enabled=true`; DSSE envelopes are embedded verbatim to keep Notify/UI consumers in sync.
+- Config plumbing introduces `scanner:events:*` settings (driver, DSN, stream, publish timeout) with validation and Redis-backed publisher wiring.
+- Policy Guild coordination task `POLICY-RUNTIME-17-201` opened to track Zastava runtime feed contract; `SCANNER-RUNTIME-17-401` now depends on it so reachability tags stay aligned once runtime endpoints ship.

docs/updates/2025-10-19-scheduler-storage.md

@@ -0,0 +1,8 @@
+# Scheduler Storage Update — 2025-10-19
+
+**Subject:** Mongo bootstrap + canonical fixtures  
+**Audience:** Scheduler Storage Guild, Scheduler WebService/Worker teams
+
+- Added `StellaOps.Scheduler.Storage.Mongo` bootstrap (`AddSchedulerMongoStorage`) with collection/index migrations for schedules, runs (incl. TTL), impact snapshots, audit, and locks.
+- Introduced Mongo2Go-backed tests that round-trip the published scheduler samples (`samples/api/scheduler/*.json`) to ensure canonical JSON stays intact.
+- `ISchedulerMongoInitializer.EnsureMigrationsAsync` now provides the single entry point for WebService/Worker hosts to apply migrations at startup.