Add LDAP Distinguished Name Helper and Credential Audit Context

- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.

src/Zastava/StellaOps.Zastava.Webhook/TASKS.md

@@ -1,9 +0,0 @@
-# Zastava Webhook Task Board
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| ZASTAVA-SURFACE-02 | TODO | Zastava Webhook Guild | SURFACE-FS-02, ZASTAVA-SURFACE-01 | Enforce Surface.FS availability during admission (deny when cache missing/stale) and embed pointer checks in webhook response. | Admission tests cover cache present/missing paths; policy docs updated; metrics emitted. |
-| ZASTAVA-ENV-02 | TODO | Zastava Webhook Guild | SURFACE-ENV-02 | Switch to Surface.Env helpers for webhook configuration (cache endpoint, secret refs, feature toggles). | Webhook uses helper; helm/compose manifests updated; integration tests cover env overrides. |
-| ZASTAVA-SECRETS-02 | TODO | Zastava Webhook Guild, Security Guild | SURFACE-SECRETS-02 | Retrieve attestation verification secrets via Surface.Secrets. | Shared secret provider integrated; rotation/e2e tests pass; secrets no longer read directly from env. |
-
-> Status update · 2025-10-19: Confirmed no prerequisites for ZASTAVA-WEBHOOK-12-101/102/103; tasks moved to DOING for kickoff. Implementation plan covering TLS bootstrap, backend contract, caching/metrics recorded in `IMPLEMENTATION_PLAN.md`.