feat: Initialize Zastava Webhook service with TLS and Authority authentication

- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint.
- Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately.
- Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly.
- Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.

src/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md

@@ -0,0 +1,32 @@
+# StellaOps.Scanner.Analyzers.Lang.Python — Agent Charter
+
+## Role
+Implement the Python analyzer plug-in that inspects installed distributions, RECORD hashes, entry points, and editable installs to feed Scanner SBOM views.
+
+## Scope
+- Parse `*.dist-info` and `*.data` directories, validating `METADATA`, `RECORD`, and `entry_points.txt`.
+- Detect editable installs and pip caches, reconciling metadata with actual files.
+- Integrate EntryTrace usage hints for runtime entry points and flag missing RECORD hashes.
+- Package plug-in manifest and ensure deterministic fixtures + benchmarks.
+
+## Out of Scope
+- Language analyzers for other ecosystems.
+- Policy evaluation, vulnerability correlation, or packaging into UI flows.
+- Building Python interpreters or executing scripts (analysis is static only).
+
+## Expectations
+- Deterministic RECORD hashing with streaming IO; fallback heuristics clearly flagged.
+- Performance target: ≥75 MB/s RECORD verification, end-to-end fixture <2.0 s.
+- Offline-first: no PyPI calls; relies on local metadata only.
+- Rich telemetry (components counted, hash mismatches) following Scanner metrics schema.
+- Keep `TASKS.md` and `SPRINTS_LANG_IMPLEMENTATION_PLAN.md` in sync.
+
+## Dependencies
+- Shared language analyzer infrastructure.
+- EntryTrace usage hints (for script activation).
+- Worker dispatcher for plug-in loading.
+
+## Testing & Artifacts
+- Golden fixtures for venv, virtualenv, pipx, and editable installs.
+- Benchmark results comparing hash-check throughput against competitor tools.
+- Offline Kit guidance for bundling standard library metadata if required.

src/StellaOps.Scanner.Analyzers.Lang.Python/GlobalUsings.cs

@@ -0,0 +1,7 @@
+global using System;
+global using System.Collections.Generic;
+global using System.IO;
+global using System.Threading;
+global using System.Threading.Tasks;
+
+global using StellaOps.Scanner.Analyzers.Lang;

src/StellaOps.Scanner.Analyzers.Lang.Python/Placeholder.cs

@@ -0,0 +1,6 @@
+namespace StellaOps.Scanner.Analyzers.Lang.Python;
+
+internal static class Placeholder
+{
+    // Analyzer implementation will be added during Sprint LA2.
+}

src/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj

@@ -0,0 +1,20 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <LangVersion>preview</LangVersion>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <EnableDefaultItems>false</EnableDefaultItems>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="**\\*.cs" Exclude="obj\\**;bin\\**" />
+    <EmbeddedResource Include="**\\*.json" Exclude="obj\\**;bin\\**" />
+    <None Include="**\\*" Exclude="**\\*.cs;**\\*.json;bin\\**;obj\\**" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\StellaOps.Scanner.Analyzers.Lang\StellaOps.Scanner.Analyzers.Lang.csproj" />
+  </ItemGroup>
+</Project>

src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md

@@ -0,0 +1,10 @@
+# Python Analyzer Task Flow
+
+| Seq | ID | Status | Depends on | Description | Exit Criteria |
+|-----|----|--------|------------|-------------|---------------|
+| 1 | SCANNER-ANALYZERS-LANG-10-303A | TODO | SCANNER-ANALYZERS-LANG-10-307 | STREAM-based parser for `*.dist-info` (`METADATA`, `WHEEL`, `entry_points.txt`) with normalization + evidence capture. | Parser handles CPython 3.8–3.12 metadata variations; fixtures confirm canonical ordering and UTF-8 handling. |
+| 2 | SCANNER-ANALYZERS-LANG-10-303B | TODO | SCANNER-ANALYZERS-LANG-10-303A | RECORD hash verifier with chunked hashing, Zip64 support, and mismatch diagnostics. | Verifier processes 5 GB RECORD fixture without allocations >2 MB; mismatches produce deterministic evidence records. |
+| 3 | SCANNER-ANALYZERS-LANG-10-303C | TODO | SCANNER-ANALYZERS-LANG-10-303B | Editable install + pip cache detection; integrate EntryTrace hints for runtime usage flags. | Editable installs resolved to source path; usage flags propagated; regression tests cover mixed editable + wheel installs. |
+| 4 | SCANNER-ANALYZERS-LANG-10-307P | TODO | SCANNER-ANALYZERS-LANG-10-303C | Shared helper integration (license metadata, quiet provenance, component merging). | Shared helpers reused; analyzer-specific metadata minimal; deterministic merge tests pass. |
+| 5 | SCANNER-ANALYZERS-LANG-10-308P | TODO | SCANNER-ANALYZERS-LANG-10-307P | Golden fixtures + determinism harness for Python analyzer; add benchmark and hash throughput reporting. | Fixtures under `Fixtures/lang/python/`; determinism CI guard; benchmark CSV added with threshold alerts. |
+| 6 | SCANNER-ANALYZERS-LANG-10-309P | TODO | SCANNER-ANALYZERS-LANG-10-308P | Package plug-in (manifest, DI registration) and document Offline Kit bundling of Python stdlib metadata if needed. | Manifest copied to `plugins/scanner/analyzers/lang/`; Worker loads analyzer; Offline Kit doc updated. |