feat: Add guild charters and task boards for various components

- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.

ops/authority/AGENTS.md

@@ -14,3 +14,7 @@ Operate and harden the StellaOps Authority platform in production and air-gapped
 - Validate container changes with the CI pipeline (`ops/authority` GitHub workflow) before marking DONE.
 - Update operator documentation in `docs/` together with any behavioural change.
 - Coordinate with Authority Core and Security Guild before altering sensitive defaults (rate limits, crypto providers, revocation jobs).
+
+## Required Reading
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/airgap/airgap-mode.md`

ops/deployment/AGENTS.md

@@ -1,4 +1,15 @@
-# Deployment & Operations — Agent Charter
-
-## Mission
-Maintain deployment/upgrade/rollback workflows (Helm/Compose) per `docs/modules/devops/ARCHITECTURE.md` including environment-specific configs.
+# Deployment & Operations — Agent Charter
+
+## Mission
+Maintain deployment/upgrade/rollback workflows (Helm/Compose) per `docs/modules/devops/ARCHITECTURE.md` including environment-specific configs.
+
+## Required Reading
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/airgap/airgap-mode.md`
+
+## Working Agreement
+- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
+- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
+- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
+- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

ops/devops/AGENTS.md

@@ -1,11 +1,22 @@
-# DevOps & Release — Agent Charter
-
-## Mission
-Execute deterministic build/release pipeline per `docs/modules/devops/ARCHITECTURE.md`:
-- Reproducible builds with SBOM/provenance, cosign signing, transparency logging.
-- Channel manifests (LTS/Stable/Edge) with digests, Helm/Compose profiles.
-- Performance guard jobs ensuring budgets.
-
-## Expectations
-- Coordinate with Scanner/Scheduler/Notify teams for artifact availability.
-- Maintain CI reliability; update `TASKS.md` as states change.
+# DevOps & Release — Agent Charter
+
+## Mission
+Execute deterministic build/release pipeline per `docs/modules/devops/ARCHITECTURE.md`:
+- Reproducible builds with SBOM/provenance, cosign signing, transparency logging.
+- Channel manifests (LTS/Stable/Edge) with digests, Helm/Compose profiles.
+- Performance guard jobs ensuring budgets.
+
+## Expectations
+- Coordinate with Scanner/Scheduler/Notify teams for artifact availability.
+- Maintain CI reliability; update `TASKS.md` as states change.
+
+## Required Reading
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/airgap/airgap-mode.md`
+
+## Working Agreement
+- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
+- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
+- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
+- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

ops/devops/TASKS.md

@@ -25,6 +25,14 @@
 | DEVOPS-OBS-54-001 | TODO | DevOps Guild, Security Guild | PROV-OBS-53-002, EVID-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. | Keys provisioned with rotation policy; timestamp authority configured; CI verifies sample bundles; audit trail stored. |
 | DEVOPS-OBS-55-001 | TODO | DevOps Guild, Ops Guild | DEVOPS-OBS-51-001, WEB-OBS-55-001 | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. | Incident mode toggles via API/CLI; automation tested in staging; reset job verified; runbook referenced. |
 
+## Surface Sharing Enablement
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| OPS-ENV-01 | TODO | DevOps Guild, Scanner Guild | SURFACE-ENV-02 | Update deployment manifests (Helm/Compose) and configuration docs to include Surface.Env variables for Scanner and Zastava services. | Templates merged; config docs updated; air-gap bootstrap tested with new vars. |
+| OPS-SECRETS-01 | TODO | DevOps Guild, Security Guild | SURFACE-SECRETS-03 | Define secret provisioning workflow (Kubernetes, Compose, Offline Kit) for Surface.Secrets references and update runbooks. | Runbook merged; sample manifests include secret refs; security review noted. |
+| OPS-SECRETS-02 | TODO | DevOps Guild, Offline Kit Guild | OPS-SECRETS-01 | Embed Surface.Secrets material (encrypted bundles, manifests) into offline kit packaging scripts. | Offline kit build includes secrets manifest; verification script added; docs refreshed. |
+
 ## Air-Gapped Mode (Epic 16)
 | ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
 |----|--------|----------|------------|-------------|---------------|

ops/licensing/AGENTS.md

@@ -1,4 +1,15 @@
-# Licensing & Registry Access — Agent Charter
-
-## Mission
-Implement licensing token service and registry access workflows described in `docs/modules/devops/ARCHITECTURE.md`.
+# Licensing & Registry Access — Agent Charter
+
+## Mission
+Implement licensing token service and registry access workflows described in `docs/modules/devops/ARCHITECTURE.md`.
+
+## Required Reading
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/airgap/airgap-mode.md`
+
+## Working Agreement
+- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
+- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
+- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
+- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

ops/offline-kit/AGENTS.md

@@ -1,4 +1,15 @@
-# Offline Kit — Agent Charter
-
-## Mission
-Package Offline Update Kit per `docs/modules/devops/ARCHITECTURE.md` and `docs/24_OFFLINE_KIT.md` with deterministic digests and import tooling.
+# Offline Kit — Agent Charter
+
+## Mission
+Package Offline Update Kit per `docs/modules/devops/ARCHITECTURE.md` and `docs/24_OFFLINE_KIT.md` with deterministic digests and import tooling.
+
+## Required Reading
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/airgap/airgap-mode.md`
+
+## Working Agreement
+- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
+- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
+- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
+- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

ops/offline-kit/TASKS.md

@@ -8,3 +8,4 @@
 | CLI-PACKS-43-002 | TODO | Offline Kit Guild, Packs Registry Guild | PACKS-REG-42-001, DEPLOY-PACKS-43-001 | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | Offline kit includes packs registry mirror, Task Runner configs, CLI binaries; manifest/signature updated; docs describe air-gapped execution. |
 | OFFLINE-CONTAINERS-46-001 | TODO | Offline Kit Guild, Deployment Guild | DEVOPS-CONTAINERS-46-001, DEPLOY-AIRGAP-46-001 | Include container air-gap bundle, verification docs, and mirrored registry instructions inside Offline Kit. | Offline kit ships bundle + how-to; verification steps validated; manifest/signature updated; imposed rule noted. |
 | DEVOPS-OFFLINE-17-004 | BLOCKED (2025-10-26) | Offline Kit Guild, DevOps Guild | DEVOPS-REL-17-002 | Execute `mirror_debug_store.py` after the next release pipeline emits `out/release/debug`, verify manifest hashes, and archive `metadata/debug-store.json` with the kit. | Debug store mirrored post-release, manifest SHA validated, summary committed alongside Offline Kit bundle evidence. ⏳ Blocked until the release pipeline publishes the next `out/release/debug` tree; rerun the mirroring script as part of that pipeline. |
+| OPS-SECRETS-02 | TODO | Offline Kit Guild, DevOps Guild | OPS-SECRETS-01 | Add Surface.Secrets bundles (encrypted creds, manifests) to Offline Kit packaging plus verification script. | Offline kit includes Surface.Secrets materials; verification script passes; docs updated with import instructions. |