feat: Implement Policy Engine Evaluation Service and Cache with unit tests

Temp commit to debug

docs/modules/scanner/design/surface-env.md

@@ -112,7 +112,7 @@ Failures throw `SurfaceEnvironmentException` with error codes (`SURFACE_ENV_MISS
 ## 6. Integration Guidance
 
 - **Scanner Worker**: call `services.AddSurfaceEnvironment()` in `Program.cs` before registering analyzers. Pass `hostContext.Configuration.GetSection("Surface")` for overrides.
-- **Scanner WebService**: build environment during startup, then expose selected values via diagnostics (`/internal/surface` when diagnostics enabled).
+- **Scanner WebService**: build environment during startup using `AddSurfaceEnvironment`, `AddSurfaceValidation`, `AddSurfaceFileCache`, and `AddSurfaceSecrets`; readiness checks execute the validator runner and scan/report APIs emit Surface CAS pointers derived from the resolved configuration.
 - **Zastava Observer/Webhook**: use the same builder; ensure Helm charts set `ZASTAVA_` variables.
 - **Scheduler Planner (future)**: treat Surface.Env as read-only input; do not mutate settings.
 

docs/modules/scanner/design/surface-fs.md

@@ -66,6 +66,14 @@ Surface.FS exposes a gRPC/HTTP API consumed by .NET clients:
 
 .NET client wraps these calls and handles retries using Polly policies.
 
+### WebService integration (2025-11-05)
+
+- `/api/v1/scans/{id}` and `/api/v1/reports` responses now include a `surface` block containing:
+  - `manifestUri` – `cas://` pointer to the Surface manifest JSON.
+  - `manifestDigest` – canonical SHA-256 over the manifest payload.
+  - `manifest.artifacts[]` – deterministic list with `kind`, `uri`, `digest`, `mediaType`, `format`, and optional `view`. URIs reuse the `ArtifactObjectKeyBuilder` semantics (`cas://{bucket}/{rootPrefix}/images/...`).
+- This allows UI/CLI consumers to fetch manifests or artefacts without additional Surface.FS round-trips.
+
 ## 4. Library Responsibilities
 
 Surface.FS library for .NET hosts provides: