feat: Initialize Zastava Webhook service with TLS and Authority authentication

- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint.
- Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately.
- Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly.
- Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.

docs/ARCHITECTURE_EXCITITOR.md

@@ -112,10 +112,10 @@ disposition: kept|replaced|superseded
 correlation: { replaces?: sha256, replacedBy?: sha256 }
 ```
 
-**`vex.claims`** (normalized rows; dedupe on providerId+vulnId+productKey+docDigest)
+**`vex.statements`** (immutable normalized rows; append-only event log)
 
 ```
-_id
+_id: ObjectId
 providerId
 vulnId
 productKey
@@ -127,9 +127,16 @@ lastObserved
 docDigest
 provenance { uri, line?, pointer?, signatureState }
 evidence[] { key, value, locator }
+signals? {
+  severity? { scheme, score?, label?, vector? }
+  kev?: bool
+  epss?: double
+}
+insertedAt
 indices: 
   - {vulnId:1, productKey:1}
-  - {providerId:1, lastObserved:-1}
+  - {providerId:1, insertedAt:-1}
+  - {docDigest:1}
   - {status:1}
   - text index (optional) on evidence.value for debugging
 ```
@@ -146,6 +153,11 @@ sources[]: [
 ]
 policyRevisionId
 evaluatedAt
+signals? {
+  severity? { scheme, score?, label?, vector? }
+  kev?: bool
+  epss?: double
+}
 consensusDigest  // same as _id
 indices:
   - {vulnId:1, productKey:1}
@@ -175,6 +187,7 @@ ttl, hits
 **`vex.migrations`**
 
 * ordered migrations applied at bootstrap to ensure indexes.
+* `20251019-consensus-signals-statements` introduces the statements log indexes and the `policyRevisionId + evaluatedAt` lookup for consensus — rerun consensus writers once to hydrate newly persisted signals.
 
 ### 3.2 Indexing strategy
 
@@ -339,6 +352,10 @@ excititor:
       platform: 0.7
       hub: 0.5
       attestation: 0.6
+      ceiling: 1.25
+    scoring:
+      alpha: 0.25
+      beta: 0.5
     providerOverrides:
       redhat: 1.0
       suse: 0.95
@@ -367,6 +384,20 @@ excititor:
       signaturePolicy: { type: cosign, cosignKeylessRoots: [ "sigstore-root" ] }
 ```
 
+### 9.1 WebService endpoints
+
+With storage configured, the WebService exposes the following ingress and diagnostic APIs:
+
+* `GET /excititor/status` – returns the active storage configuration and registered artifact stores.
+* `GET /excititor/health` – simple liveness probe.
+* `POST /excititor/statements` – accepts normalized VEX statements and persists them via `IVexClaimStore`; use this for migrations/backfills.
+* `GET /excititor/statements/{vulnId}/{productKey}?since=` – returns the immutable statement log for a vulnerability/product pair.
+
+Run the ingestion endpoint once after applying migration `20251019-consensus-signals-statements` to repopulate historical statements with the new severity/KEV/EPSS signal fields.
+
+* `weights.ceiling` raises the deterministic clamp applied to provider tiers/overrides (range 1.0‒5.0). Values outside the range are clamped with warnings so operators can spot typos.
+* `scoring.alpha` / `scoring.beta` configure KEV/EPSS boosts for the Phase 1 → Phase 2 scoring pipeline. Defaults (0.25, 0.5) preserve prior behaviour; negative or excessively large values fall back with diagnostics.
+
 ---
 
 ## 10) Security model