feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports

- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.

src/Policy/StellaOps.Policy.Engine/Options/PolicyEngineOptions.cs

@@ -24,15 +24,17 @@ public sealed class PolicyEngineOptions
     public PolicyEngineResourceServerOptions ResourceServer { get; } = new();
 
     public PolicyEngineCompilationOptions Compilation { get; } = new();
-
-    public PolicyEngineActivationOptions Activation { get; } = new();
-
-    public PolicyEngineTelemetryOptions Telemetry { get; } = new();
-
-    public PolicyEngineRiskProfileOptions RiskProfile { get; } = new();
-
-    public ReachabilityFactsCacheOptions ReachabilityCache { get; } = new();
-
+
+    public PolicyEngineActivationOptions Activation { get; } = new();
+
+    public PolicyEngineTelemetryOptions Telemetry { get; } = new();
+
+    public PolicyEngineEntropyOptions Entropy { get; } = new();
+
+    public PolicyEngineRiskProfileOptions RiskProfile { get; } = new();
+
+    public ReachabilityFactsCacheOptions ReachabilityCache { get; } = new();
+
     public PolicyEvaluationCacheOptions EvaluationCache { get; } = new();
 
     public EffectiveDecisionMapOptions EffectiveDecisionMap { get; } = new();
@@ -43,13 +45,14 @@ public sealed class PolicyEngineOptions
 
     public void Validate()
     {
-        Authority.Validate();
-        Storage.Validate();
-        Workers.Validate();
-        ResourceServer.Validate();
+        Authority.Validate();
+        Storage.Validate();
+        Workers.Validate();
+        ResourceServer.Validate();
         Compilation.Validate();
         Activation.Validate();
         Telemetry.Validate();
+        Entropy.Validate();
         RiskProfile.Validate();
         ExceptionLifecycle.Validate();
     }
@@ -226,8 +229,8 @@ public sealed class PolicyEngineCompilationOptions
 }
 
 
-public sealed class PolicyEngineActivationOptions
-{
+public sealed class PolicyEngineActivationOptions
+{
     /// <summary>
     /// Forces two distinct approvals for every activation regardless of the request payload.
     /// </summary>
@@ -244,12 +247,78 @@ public sealed class PolicyEngineActivationOptions
     public bool EmitAuditLogs { get; set; } = true;
 
     public void Validate()
-    {
-    }
-}
-
-public sealed class PolicyEngineRiskProfileOptions
-{
+    {
+    }
+}
+
+public sealed class PolicyEngineEntropyOptions
+{
+    /// <summary>
+    /// Multiplier K applied to summed layer contributions.
+    /// </summary>
+    public decimal PenaltyMultiplier { get; set; } = 0.5m;
+
+    /// <summary>
+    /// Maximum entropy penalty applied to trust weighting.
+    /// </summary>
+    public decimal PenaltyCap { get; set; } = 0.3m;
+
+    /// <summary>
+    /// Threshold for blocking when whole-image opaque ratio exceeds this value and provenance is unknown.
+    /// </summary>
+    public decimal ImageOpaqueBlockThreshold { get; set; } = 0.15m;
+
+    /// <summary>
+    /// Threshold for warning when any file/layer opaque ratio exceeds this value.
+    /// </summary>
+    public decimal FileOpaqueWarnThreshold { get; set; } = 0.30m;
+
+    /// <summary>
+    /// Mitigation factor applied when symbols are present and provenance is attested.
+    /// </summary>
+    public decimal SymbolMitigationFactor { get; set; } = 0.5m;
+
+    /// <summary>
+    /// Number of top opaque files to surface in explanations.
+    /// </summary>
+    public int TopFiles { get; set; } = 5;
+
+    public void Validate()
+    {
+        if (PenaltyMultiplier < 0)
+        {
+            throw new InvalidOperationException("Entropy.PenaltyMultiplier must be non-negative.");
+        }
+
+        if (PenaltyCap < 0 || PenaltyCap > 1)
+        {
+            throw new InvalidOperationException("Entropy.PenaltyCap must be between 0 and 1.");
+        }
+
+        if (ImageOpaqueBlockThreshold < 0 || ImageOpaqueBlockThreshold > 1)
+        {
+            throw new InvalidOperationException("Entropy.ImageOpaqueBlockThreshold must be between 0 and 1.");
+        }
+
+        if (FileOpaqueWarnThreshold < 0 || FileOpaqueWarnThreshold > 1)
+        {
+            throw new InvalidOperationException("Entropy.FileOpaqueWarnThreshold must be between 0 and 1.");
+        }
+
+        if (SymbolMitigationFactor < 0 || SymbolMitigationFactor > 1)
+        {
+            throw new InvalidOperationException("Entropy.SymbolMitigationFactor must be between 0 and 1.");
+        }
+
+        if (TopFiles <= 0)
+        {
+            throw new InvalidOperationException("Entropy.TopFiles must be greater than zero.");
+        }
+    }
+}
+
+public sealed class PolicyEngineRiskProfileOptions
+{
     /// <summary>
     /// Enables risk profile integration for policy evaluation.
     /// </summary>