feat: Add guild charters and task boards for various components

- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.

src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md

@@ -1,33 +1,44 @@
-# StellaOps.Scanner.Analyzers.Lang — Agent Charter
-
-## Role
-Deliver deterministic language ecosystem analyzers that run inside Scanner Workers, emit component evidence for SBOM assembly, and package as restart-time plug-ins.
-
-## Scope
-- Shared analyzer abstractions for installed application ecosystems (Java, Node.js, Python, Go, .NET, Rust).
-- Evidence helpers that map on-disk artefacts to canonical component identities (purl/bin sha) with provenance and usage flags.
-- File-system traversal, metadata parsing, and normalization for language-specific package formats.
-- Plug-in bootstrap, manifest authoring, and DI registration so Workers load analyzers at start-up.
-
-## Out of Scope
-- OS package analyzers, native link graph, or EntryTrace plug-ins (handled by other guilds).
-- SBOM composition, diffing, or signing (owned by Emit/Diff/Signer groups).
-- Policy adjudication or vulnerability joins.
-
-## Expectations
-- Deterministic output: identical inputs → identical component ordering and hashes.
-- Memory discipline: streaming walkers, avoid loading entire trees; reuse buffers.
-- Cancellation-aware and timeboxed per layer.
-- Enrich telemetry (counters + timings) via Scanner.Core primitives.
-- Update `TASKS.md` as work progresses (TODO → DOING → DONE/BLOCKED).
-
-## Dependencies
-- Scanner.Core contracts + observability helpers.
-- Scanner.Worker analyzer dispatcher.
-- Upcoming Scanner.Emit models for SBOM assembly.
-- Plugin host infrastructure under `StellaOps.Plugin`.
-
-## Testing & Artifacts
-- Determinism harness with golden fixtures under `Fixtures/`.
-- Microbench benchmarks recorded per language where feasible.
-- Plugin manifests stored under `plugins/scanner/analyzers/lang/` with cosign workflow documented.
+# StellaOps.Scanner.Analyzers.Lang — Agent Charter
+
+## Role
+Deliver deterministic language ecosystem analyzers that run inside Scanner Workers, emit component evidence for SBOM assembly, and package as restart-time plug-ins.
+
+## Scope
+- Shared analyzer abstractions for installed application ecosystems (Java, Node.js, Python, Go, .NET, Rust).
+- Evidence helpers that map on-disk artefacts to canonical component identities (purl/bin sha) with provenance and usage flags.
+- File-system traversal, metadata parsing, and normalization for language-specific package formats.
+- Plug-in bootstrap, manifest authoring, and DI registration so Workers load analyzers at start-up.
+
+## Out of Scope
+- OS package analyzers, native link graph, or EntryTrace plug-ins (handled by other guilds).
+- SBOM composition, diffing, or signing (owned by Emit/Diff/Signer groups).
+- Policy adjudication or vulnerability joins.
+
+## Expectations
+- Deterministic output: identical inputs → identical component ordering and hashes.
+- Memory discipline: streaming walkers, avoid loading entire trees; reuse buffers.
+- Cancellation-aware and timeboxed per layer.
+- Enrich telemetry (counters + timings) via Scanner.Core primitives.
+- Update `TASKS.md` as work progresses (TODO → DOING → DONE/BLOCKED).
+
+## Dependencies
+- Scanner.Core contracts + observability helpers.
+- Scanner.Worker analyzer dispatcher.
+- Upcoming Scanner.Emit models for SBOM assembly.
+- Plugin host infrastructure under `StellaOps.Plugin`.
+
+## Testing & Artifacts
+- Determinism harness with golden fixtures under `Fixtures/`.
+- Microbench benchmarks recorded per language where feasible.
+- Plugin manifests stored under `plugins/scanner/analyzers/lang/` with cosign workflow documented.
+
+## Required Reading
+- `docs/modules/scanner/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+
+## Working Agreement
+- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
+- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
+- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
+- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md

@@ -2,3 +2,6 @@
 
 | ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
 |----|--------|----------|------------|-------------|---------------|
+| LANG-SURFACE-01 | TODO | Language Analyzer Guild | SURFACE-VAL-02, SURFACE-FS-02 | Invoke Surface.Validation checks (env/cache/secrets) before analyzer execution to ensure consistent prerequisites. | Validation pipeline integrated; regression tests updated; failures bubble with actionable errors. |
+| LANG-SURFACE-02 | TODO | Language Analyzer Guild | SURFACE-FS-02 | Consume Surface.FS APIs for layer/source caching (instead of bespoke caches) to improve determinism. | Analyzer outputs match baseline; performance benchmarks recorded; docs updated. |
+| LANG-SURFACE-03 | TODO | Language Analyzer Guild | SURFACE-SECRETS-02 | Replace direct secret/env reads with Surface.Secrets references when fetching package feeds or registry creds. | Analyzer uses shared provider; tests cover rotation/failure; config docs updated. |