feat: Initialize Zastava Webhook service with TLS and Authority authentication

- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint.
- Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately.
- Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly.
- Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.

src/StellaOps.Zastava.Core/Contracts/RuntimeEvent.cs

@@ -0,0 +1,179 @@
+namespace StellaOps.Zastava.Core.Contracts;
+
+/// <summary>
+/// Envelope published by the observer towards Scanner runtime ingestion.
+/// </summary>
+public sealed record class RuntimeEventEnvelope
+{
+    /// <summary>
+    /// Contract identifier consumed by negotiation logic (<c>zastava.runtime.event@v1</c>).
+    /// </summary>
+    public required string SchemaVersion { get; init; }
+
+    /// <summary>
+    /// Runtime event payload.
+    /// </summary>
+    public required RuntimeEvent Event { get; init; }
+
+    /// <summary>
+    /// Creates an envelope using the provided runtime contract version.
+    /// </summary>
+    public static RuntimeEventEnvelope Create(RuntimeEvent runtimeEvent, ZastavaContractVersions.ContractVersion contract)
+    {
+        ArgumentNullException.ThrowIfNull(runtimeEvent);
+        return new RuntimeEventEnvelope
+        {
+            SchemaVersion = contract.ToString(),
+            Event = runtimeEvent
+        };
+    }
+
+    /// <summary>
+    /// Checks whether the envelope schema is supported by the current runtime.
+    /// </summary>
+    public bool IsSupported()
+        => ZastavaContractVersions.IsRuntimeEventSupported(SchemaVersion);
+}
+
+/// <summary>
+/// Canonical runtime event emitted by the observer.
+/// </summary>
+public sealed record class RuntimeEvent
+{
+    public required string EventId { get; init; }
+
+    public required DateTimeOffset When { get; init; }
+
+    public required RuntimeEventKind Kind { get; init; }
+
+    public required string Tenant { get; init; }
+
+    public required string Node { get; init; }
+
+    public required RuntimeEngine Runtime { get; init; }
+
+    public required RuntimeWorkload Workload { get; init; }
+
+    public RuntimeProcess? Process { get; init; }
+
+    [JsonPropertyName("loadedLibs")]
+    public IReadOnlyList<RuntimeLoadedLibrary> LoadedLibraries { get; init; } = Array.Empty<RuntimeLoadedLibrary>();
+
+    public RuntimePosture? Posture { get; init; }
+
+    public RuntimeDelta? Delta { get; init; }
+
+    public IReadOnlyList<RuntimeEvidence> Evidence { get; init; } = Array.Empty<RuntimeEvidence>();
+
+    public IReadOnlyDictionary<string, string>? Annotations { get; init; }
+}
+
+public enum RuntimeEventKind
+{
+    ContainerStart,
+    ContainerStop,
+    Drift,
+    PolicyViolation,
+    AttestationStatus
+}
+
+public sealed record class RuntimeEngine
+{
+    public required string Engine { get; init; }
+
+    public string? Version { get; init; }
+}
+
+public sealed record class RuntimeWorkload
+{
+    public required string Platform { get; init; }
+
+    [JsonPropertyName("namespace")]
+    public string? Namespace { get; init; }
+
+    public string? Pod { get; init; }
+
+    public string? Container { get; init; }
+
+    public string? ContainerId { get; init; }
+
+    public string? ImageRef { get; init; }
+
+    public RuntimeWorkloadOwner? Owner { get; init; }
+}
+
+public sealed record class RuntimeWorkloadOwner
+{
+    public string? Kind { get; init; }
+
+    public string? Name { get; init; }
+}
+
+public sealed record class RuntimeProcess
+{
+    public int Pid { get; init; }
+
+    public IReadOnlyList<string> Entrypoint { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("entryTrace")]
+    public IReadOnlyList<RuntimeEntryTrace> EntryTrace { get; init; } = Array.Empty<RuntimeEntryTrace>();
+}
+
+public sealed record class RuntimeEntryTrace
+{
+    public string? File { get; init; }
+
+    public int? Line { get; init; }
+
+    public string? Op { get; init; }
+
+    public string? Target { get; init; }
+}
+
+public sealed record class RuntimeLoadedLibrary
+{
+    public required string Path { get; init; }
+
+    public long? Inode { get; init; }
+
+    public string? Sha256 { get; init; }
+}
+
+public sealed record class RuntimePosture
+{
+    public bool? ImageSigned { get; init; }
+
+    public string? SbomReferrer { get; init; }
+
+    public RuntimeAttestation? Attestation { get; init; }
+}
+
+public sealed record class RuntimeAttestation
+{
+    public string? Uuid { get; init; }
+
+    public bool? Verified { get; init; }
+}
+
+public sealed record class RuntimeDelta
+{
+    public string? BaselineImageDigest { get; init; }
+
+    public IReadOnlyList<string> ChangedFiles { get; init; } = Array.Empty<string>();
+
+    public IReadOnlyList<RuntimeNewBinary> NewBinaries { get; init; } = Array.Empty<RuntimeNewBinary>();
+}
+
+public sealed record class RuntimeNewBinary
+{
+    public required string Path { get; init; }
+
+    public string? Sha256 { get; init; }
+}
+
+public sealed record class RuntimeEvidence
+{
+    public required string Signal { get; init; }
+
+    public string? Value { get; init; }
+}