feat: Initialize Zastava Webhook service with TLS and Authority authentication

- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint.
- Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately.
- Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly.
- Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.

src/StellaOps.Signer/AGENTS.md

@@ -0,0 +1,21 @@
+# Signer Guild
+
+## Mission
+Operate the Stella Ops Signer service: authenticate trusted callers, enforce proof‑of‑entitlement and release integrity policy, and mint verifiable DSSE bundles (keyless or KMS-backed) for downstream attestation.
+
+## Teams On Call
+- Team 11 (Signer API)
+- Team 12 (Signer Reliability & Quotas)
+
+## Operating Principles
+- Accept requests only with Authority-issued OpToks plus DPoP or mTLS sender binding; reject unsigned/cross-tenant traffic.
+- Treat PoE claims as hard gates for quota, version windows, and license validity; cache results deterministically with bounded TTLs.
+- Verify scanner image release signatures via OCI Referrers before signing; fail closed on ambiguity.
+- Keep the hot path stateless and deterministic; persist audit trails with structured logging, metrics, and correlation IDs.
+- Update `TASKS.md`, architecture notes, and tests whenever behaviour or contracts evolve.
+
+## Key Directories
+- `src/StellaOps.Signer/StellaOps.Signer.WebService/` — Minimal API host and HTTP surface (to be scaffolded).
+- `src/StellaOps.Signer/StellaOps.Signer.Core/` — Domain contracts, signing pipeline, quota enforcement (to be scaffolded).
+- `src/StellaOps.Signer/StellaOps.Signer.Infrastructure/` — External clients (Authority, Licensing, Fulcio/KMS, OCI) and persistence (to be scaffolded).
+- `src/StellaOps.Signer/StellaOps.Signer.Tests/` — Unit/integration test suites (to be scaffolded).