feat: Initialize Zastava Webhook service with TLS and Authority authentication

- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint.
- Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately.
- Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly.
- Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.

src/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md

@@ -0,0 +1,29 @@
+# StellaOps.Scanner.Analyzers.Lang.Go — Agent Charter
+
+## Role
+Build the Go analyzer plug-in that reads Go build info, module metadata, and DWARF notes to attribute binaries with rich provenance inside Scanner.
+
+## Scope
+- Inspect binaries for build info (`.note.go.buildid`, Go build info blob) and extract module, version, VCS metadata.
+- Parse DWARF-lite sections for commit hash / dirty flag and map to components.
+- Manage shared hash cache to dedupe identical binaries across layers.
+- Provide benchmarks and determinism fixtures; package plug-in manifest.
+
+## Out of Scope
+- Native library link analysis (belongs to native analyzer).
+- VCS remote fetching or symbol download.
+- Policy decisions or vulnerability joins.
+
+## Expectations
+- Latency targets: ≤400 µs (hot) / ≤2 ms (cold) per binary; minimal allocations via buffer pooling.
+- Deterministic fallback to `bin:{sha256}` when metadata absent; heuristics clearly identified.
+- Offline-first: rely solely on embedded metadata.
+- Telemetry for binaries processed, metadata coverage, heuristics usage.
+
+## Dependencies
+- Shared language analyzer core; Worker dispatcher; caching infrastructure (layer cache + file CAS).
+
+## Testing & Artifacts
+- Golden fixtures for modules with/without VCS info, stripped binaries, cross-compiled variants.
+- Benchmark comparison with competitor scanners to demonstrate speed/fidelity advantages.
+- ADR documenting heuristics and risk mitigation.

src/StellaOps.Scanner.Analyzers.Lang.Go/GlobalUsings.cs

@@ -0,0 +1,7 @@
+global using System;
+global using System.Collections.Generic;
+global using System.IO;
+global using System.Threading;
+global using System.Threading.Tasks;
+
+global using StellaOps.Scanner.Analyzers.Lang;

src/StellaOps.Scanner.Analyzers.Lang.Go/Placeholder.cs

@@ -0,0 +1,6 @@
+namespace StellaOps.Scanner.Analyzers.Lang.Go;
+
+internal static class Placeholder
+{
+    // Analyzer implementation will be added during Sprint LA3.
+}

src/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.csproj

@@ -0,0 +1,20 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <LangVersion>preview</LangVersion>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <EnableDefaultItems>false</EnableDefaultItems>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="**\\*.cs" Exclude="obj\\**;bin\\**" />
+    <EmbeddedResource Include="**\\*.json" Exclude="obj\\**;bin\\**" />
+    <None Include="**\\*" Exclude="**\\*.cs;**\\*.json;bin\\**;obj\\**" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\StellaOps.Scanner.Analyzers.Lang\StellaOps.Scanner.Analyzers.Lang.csproj" />
+  </ItemGroup>
+</Project>

src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md

@@ -0,0 +1,10 @@
+# Go Analyzer Task Flow
+
+| Seq | ID | Status | Depends on | Description | Exit Criteria |
+|-----|----|--------|------------|-------------|---------------|
+| 1 | SCANNER-ANALYZERS-LANG-10-304A | TODO | SCANNER-ANALYZERS-LANG-10-307 | Parse Go build info blob (`runtime/debug` format) and `.note.go.buildid`; map to module/version and evidence. | Build info extracted across Go 1.18–1.23 fixtures; evidence includes VCS, module path, and build settings. |
+| 2 | SCANNER-ANALYZERS-LANG-10-304B | TODO | SCANNER-ANALYZERS-LANG-10-304A | Implement DWARF-lite reader for VCS metadata + dirty flag; add cache to avoid re-reading identical binaries. | DWARF reader supplies commit hash for ≥95 % fixtures; cache reduces duplicated IO by ≥70 %. |
+| 3 | SCANNER-ANALYZERS-LANG-10-304C | TODO | SCANNER-ANALYZERS-LANG-10-304B | Fallback heuristics for stripped binaries with deterministic `bin:{sha256}` labeling and quiet provenance. | Heuristic labels clearly separated; tests ensure no false “observed” provenance; documentation updated. |
+| 4 | SCANNER-ANALYZERS-LANG-10-307G | TODO | SCANNER-ANALYZERS-LANG-10-304C | Wire shared helpers (license mapping, usage flags) and ensure concurrency-safe buffer reuse. | Analyzer reuses shared infrastructure; concurrency tests with parallel scans pass; no data races. |
+| 5 | SCANNER-ANALYZERS-LANG-10-308G | TODO | SCANNER-ANALYZERS-LANG-10-307G | Determinism fixtures + benchmark harness (Vs competitor). | Fixtures under `Fixtures/lang/go/`; CI determinism check; benchmark runs showing ≥20 % speed advantage. |
+| 6 | SCANNER-ANALYZERS-LANG-10-309G | TODO | SCANNER-ANALYZERS-LANG-10-308G | Package plug-in manifest + Offline Kit notes; ensure Worker DI registration. | Manifest copied; Worker loads analyzer; Offline Kit docs updated with Go analyzer presence. |