feat: Add guild charters and task boards for various components

- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.

src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md

@@ -0,0 +1,30 @@
+# Zastava Webhook Guild Charter
+
+## Mission
+Operate the Kubernetes admission webhook enforcing image/SBOM/attestation policies using data from Scanner, Policy Engine, and Surface caches. The webhook must provide deterministic verdicts, integrate with Surface libraries, and remain offline/air-gap compatible.
+
+## Scope
+- Admission controller code under `StellaOps.Zastava.Webhook`.
+- Request validation, response generation, and audit logging.
+- Integration with Surface.FS/Env/Secrets/Validation and Authority scopes.
+- Helm/Compose configuration samples and compatibility with sealed environments.
+
+## Required Reading
+- `docs/modules/zastava/architecture.md`
+- `docs/modules/scanner/design/surface-fs.md`
+- `docs/modules/scanner/design/surface-env.md`
+- `docs/modules/scanner/design/surface-secrets.md`
+- `docs/modules/scanner/design/surface-validation.md`
+- `docs/modules/scanner/architecture.md` (runtime posture/admission sections)
+- `docs/modules/policy/architecture.md`
+- `docs/modules/airgap/airgap-mode.md`
+- `docs/modules/devops/runbooks/zastava-deployment.md`
+
+## Working Agreement
+1. **Task state**: update `docs/implplan/SPRINTS.md` and local `TASKS.md` to `DOING`/`DONE` as you start or complete work.
+2. **Surface usage**: fetch cache manifests via Surface.FS, configuration via Surface.Env, secrets via Surface.Secrets; run validators before enforcing policies.
+3. **Deterministic verdicts**: avoid non-deterministic data in admission responses; include explain traces referencing evidence IDs.
+4. **Security**: enforce mTLS, Authority OpTok scopes, and tenant context; audit all allow/deny decisions.
+5. **Offline posture**: operate without external egress; surface actionable errors when cache/attestation data is missing.
+6. **Testing**: maintain unit/e2e tests (Kubernetes admission harness) covering pass/fail paths, error handling, and performance budgets.
+7. **Documentation**: update deployment guides, operator runbooks, and onboarding docs when webhook behaviour or configuration changes.

src/Zastava/StellaOps.Zastava.Webhook/TASKS.md

@@ -2,5 +2,8 @@
 
 | ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
 |----|--------|----------|------------|-------------|---------------|
+| ZASTAVA-SURFACE-02 | TODO | Zastava Webhook Guild | SURFACE-FS-02, ZASTAVA-SURFACE-01 | Enforce Surface.FS availability during admission (deny when cache missing/stale) and embed pointer checks in webhook response. | Admission tests cover cache present/missing paths; policy docs updated; metrics emitted. |
+| ZASTAVA-ENV-02 | TODO | Zastava Webhook Guild | SURFACE-ENV-02 | Switch to Surface.Env helpers for webhook configuration (cache endpoint, secret refs, feature toggles). | Webhook uses helper; helm/compose manifests updated; integration tests cover env overrides. |
+| ZASTAVA-SECRETS-02 | TODO | Zastava Webhook Guild, Security Guild | SURFACE-SECRETS-02 | Retrieve attestation verification secrets via Surface.Secrets. | Shared secret provider integrated; rotation/e2e tests pass; secrets no longer read directly from env. |
 
 > Status update · 2025-10-19: Confirmed no prerequisites for ZASTAVA-WEBHOOK-12-101/102/103; tasks moved to DOING for kickoff. Implementation plan covering TLS bootstrap, backend contract, caching/metrics recorded in `IMPLEMENTATION_PLAN.md`.