feat: Initialize Zastava Webhook service with TLS and Authority authentication

- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint.
- Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately.
- Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly.
- Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.

src/StellaOps.Cli/Commands/CommandFactory.cs

@@ -25,6 +25,7 @@ internal static class CommandFactory
         root.Add(BuildScanCommand(services, options, verboseOption, cancellationToken));
         root.Add(BuildDatabaseCommand(services, verboseOption, cancellationToken));
         root.Add(BuildExcititorCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildRuntimeCommand(services, verboseOption, cancellationToken));
         root.Add(BuildAuthCommand(services, options, verboseOption, cancellationToken));
         root.Add(BuildConfigCommand(options));
 
@@ -335,11 +336,16 @@ internal static class CommandFactory
         {
             Description = "Optional provider identifier when requesting targeted exports."
         };
+        var exportOutputOption = new Option<string?>("--output")
+        {
+            Description = "Optional path to download the export artifact."
+        };
         export.Add(formatOption);
         export.Add(exportDeltaOption);
         export.Add(exportScopeOption);
         export.Add(exportSinceOption);
         export.Add(exportProviderOption);
+        export.Add(exportOutputOption);
         export.SetAction((parseResult, _) =>
         {
             var format = parseResult.GetValue(formatOption) ?? "openvex";
@@ -347,8 +353,9 @@ internal static class CommandFactory
             var scope = parseResult.GetValue(exportScopeOption);
             var since = parseResult.GetValue(exportSinceOption);
             var provider = parseResult.GetValue(exportProviderOption);
+            var output = parseResult.GetValue(exportOutputOption);
             var verbose = parseResult.GetValue(verboseOption);
-            return CommandHandlers.HandleExcititorExportAsync(services, format, delta, scope, since, provider, verbose, cancellationToken);
+            return CommandHandlers.HandleExcititorExportAsync(services, format, delta, scope, since, provider, output, verbose, cancellationToken);
         });
 
         var verify = new Command("verify", "Verify Excititor exports or attestations.");
@@ -406,6 +413,70 @@ internal static class CommandFactory
         return excititor;
     }
 
+    private static Command BuildRuntimeCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var runtime = new Command("runtime", "Interact with runtime admission policy APIs.");
+        var policy = new Command("policy", "Runtime policy operations.");
+
+        var test = new Command("test", "Evaluate runtime policy decisions for image digests.");
+        var namespaceOption = new Option<string?>("--namespace", new[] { "--ns" })
+        {
+            Description = "Namespace or logical scope for the evaluation."
+        };
+
+        var imageOption = new Option<string[]>("--image", new[] { "-i", "--images" })
+        {
+            Description = "Image digests to evaluate (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+
+        var fileOption = new Option<string?>("--file", new[] { "-f" })
+        {
+            Description = "Path to a file containing image digests (one per line)."
+        };
+
+        var labelOption = new Option<string[]>("--label", new[] { "-l", "--labels" })
+        {
+            Description = "Pod labels in key=value format (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Emit the raw JSON response."
+        };
+
+        test.Add(namespaceOption);
+        test.Add(imageOption);
+        test.Add(fileOption);
+        test.Add(labelOption);
+        test.Add(jsonOption);
+
+        test.SetAction((parseResult, _) =>
+        {
+            var nsValue = parseResult.GetValue(namespaceOption);
+            var images = parseResult.GetValue(imageOption) ?? Array.Empty<string>();
+            var file = parseResult.GetValue(fileOption);
+            var labels = parseResult.GetValue(labelOption) ?? Array.Empty<string>();
+            var outputJson = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleRuntimePolicyTestAsync(
+                services,
+                nsValue,
+                images,
+                file,
+                labels,
+                outputJson,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(test);
+        runtime.Add(policy);
+        return runtime;
+    }
+
     private static Command BuildAuthCommand(IServiceProvider services, StellaOpsCliOptions options, Option<bool> verboseOption, CancellationToken cancellationToken)
     {
         var auth = new Command("auth", "Manage authentication with StellaOps Authority.");