Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools

- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.

docs/ARCHITECTURE_ZASTAVA.md

@@ -141,10 +141,10 @@ stellaops/zastava-agent       # System service; watch Docker events; observer on
   * Image signature presence (if cosign policies are local; else ask backend).
   * SBOM **referrers** presence (HEAD to registry, optional).
   * Rekor UUID known (query Scanner.WebService by image digest).
-* **Publish runtime events** to Scanner.WebService `/runtime/events` (batch & compress).
-* **Request delta scan** if: no SBOM in catalog OR base differs from known baseline.
-
-### 3.2 Privileges & mounts (K8s)
+* **Publish runtime events** to Scanner.WebService `/runtime/events` (batch & compress).
+* **Request delta scan** if: no SBOM in catalog OR base differs from known baseline.
+
+### 3.2 Privileges & mounts (K8s)
 
 * **SecurityContext:** `runAsUser: 0`, `readOnlyRootFilesystem: true`, `allowPrivilegeEscalation: false`.
 * **Capabilities:** `CAP_SYS_PTRACE` (optional if using nsenter trace), `CAP_DAC_READ_SEARCH`.
@@ -154,12 +154,22 @@ stellaops/zastava-agent       # System service; watch Docker events; observer on
   * `/run/containerd/containerd.sock` (or CRI‑O socket)
   * `/var/lib/containerd/io.containerd.runtime.v2.task` (rootfs paths & pids)
 * **Networking:** cluster‑internal egress to Scanner.WebService only.
-* **Rate limits:** hard caps for bytes hashed and file count per container to avoid noisy tenants.
-
-### 3.3 Event batching
-
-* Buffer ND‑JSON; flush by **N events** or **2 s**.
-* Backpressure: local disk ring buffer (50 MB default) if Scanner is temporarily unavailable; drop oldest after cap with **metrics** and **warning** event.
+* **Rate limits:** hard caps for bytes hashed and file count per container to avoid noisy tenants.
+
+### 3.3 Event batching
+
+* Buffer ND‑JSON; flush by **N events** or **2 s**.
+* Backpressure: local disk ring buffer (50 MB default) if Scanner is temporarily unavailable; drop oldest after cap with **metrics** and **warning** event.
+
+### 3.4 Build-id capture & validation workflow
+
+1. When Observer sees a `CONTAINER_START` it dereferences `/proc/<pid>/exe`, extracts the `NT_GNU_BUILD_ID` note, normalises it to lower-case hex, and sends it as `process.buildId` in the runtime envelope.
+2. Scanner.WebService persists the observation and propagates the most recent hashes into `/policy/runtime` responses (`buildIds` list) and policy caches consumed by the webhook/CLI.
+3. Release engineering copies the matching `.debug` files into the bundle (`debug/.build-id/<aa>/<rest>.debug`) and publishes `debug/debug-manifest.json` with per-hash digests. Offline Kit packaging reuses those artefacts verbatim (see `ops/offline-kit/mirror_debug_store.py`).
+4. Operators resolve symbols by either:
+   * calling `stellaops-cli runtime policy test --image <digest>` to read the current `buildIds` and then fetching the corresponding `.debug` file from the bundle/offline mirror, or
+   * piping the hash into `debuginfod-find debuginfo <buildId>` when a `debuginfod` service is wired against the mirrored tree.
+5. Missing hashes indicate stripped binaries without GNU notes; operators should trigger a rebuild with `-Wl,--build-id` or register a fallback symbol package as described in the runtime operations runbook.
 
 ---