feat: Implement Filesystem and MongoDB provenance writers for PackRun execution context

- Added `FilesystemPackRunProvenanceWriter` to write provenance manifests to the filesystem.
- Introduced `MongoPackRunArtifactReader` to read artifacts from MongoDB.
- Created `MongoPackRunProvenanceWriter` to store provenance manifests in MongoDB.
- Developed unit tests for filesystem and MongoDB provenance writers.
- Established `ITimelineEventStore` and `ITimelineIngestionService` interfaces for timeline event handling.
- Implemented `TimelineIngestionService` to validate and persist timeline events with hashing.
- Created PostgreSQL schema and migration scripts for timeline indexing.
- Added dependency injection support for timeline indexer services.
- Developed tests for timeline ingestion and schema validation.

ops/devops/airgap/k8s-deny-egress.yaml

@@ -0,0 +1,42 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: sealed-deny-all-egress
+  namespace: default
+  labels:
+    stellaops.dev/owner: devops
+    stellaops.dev/purpose: sealed-mode
+spec:
+  podSelector:
+    matchLabels:
+      sealed: "true"
+  policyTypes:
+    - Egress
+  egress: []
+---
+# Optional patch to allow in-cluster DNS while still blocking external egress.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: sealed-allow-dns
+  namespace: default
+  labels:
+    stellaops.dev/owner: devops
+    stellaops.dev/purpose: sealed-mode
+spec:
+  podSelector:
+    matchLabels:
+      sealed: "true"
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: UDP
+          port: 53