Implement VEX document verification system with issuer management and signature verification

- Added IIssuerDirectory interface for managing VEX document issuers, including methods for registration, revocation, and trust validation.
- Created InMemoryIssuerDirectory class as an in-memory implementation of IIssuerDirectory for testing and single-instance deployments.
- Introduced ISignatureVerifier interface for verifying signatures on VEX documents, with support for multiple signature formats.
- Developed SignatureVerifier class as the default implementation of ISignatureVerifier, allowing extensibility for different signature formats.
- Implemented handlers for DSSE and JWS signature formats, including methods for verification and signature extraction.
- Defined various records and enums for issuer and signature metadata, enhancing the structure and clarity of the verification process.

docs/implplan/SPRINT_0174_0001_0001_telemetry.md

@@ -57,6 +57,7 @@
 | 2025-12-05 | Attempted `dotnet test src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/StellaOps.Telemetry.Core.Tests.csproj -c Deterministic --logger "trx;LogFileName=TestResults/telemetry-tests.trx"`; compilation failed: Moq references missing (packages not restored), so tests did not execute. Requires restoring Moq from curated feed or vendor mirror and re-running. | Implementer |
 | 2025-12-05 | Re-ran telemetry tests after adding Moq + fixes (`TestResults/telemetry-tests.trx`); 1 test still failing: `TelemetryPropagationMiddlewareTests.Middleware_Populates_Accessor_And_Activity_Tags` (accessor.Current null inside middleware). Other suites now pass. | Implementer |
 | 2025-12-05 | Telemetry suite GREEN: `dotnet test src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/StellaOps.Telemetry.Core.Tests.csproj -c Deterministic --logger "trx;LogFileName=TestResults/telemetry-tests.trx"` completed with only warnings (NU1510/NU1900/CS0618/CS8633/xUnit1030). TRX evidence stored at `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/TestResults/TestResults/telemetry-tests.trx`. | Implementer |
+| 2025-12-06 | Cleared Moq restore risk; telemetry tests validated with curated feed. Updated Decisions & Risks and closed checkpoints. | Telemetry Core Guild |
 
 ## Decisions & Risks
 - Propagation adapters wait on bootstrap package; Security scrub policy (POLICY-SEC-42-003) must approve before implementing 51-001/51-002.
@@ -64,13 +65,9 @@
 - Ensure telemetry remains deterministic/offline; avoid external exporters in sealed mode.
 - Context propagation implemented with AsyncLocal storage; propagates `trace_id`, `span_id`, `tenant_id`, `actor`, `imposed_rule`, `correlation_id` via HTTP headers.
 - Golden signal metrics use cardinality guards (default 100 unique values per label) to prevent label explosion; configurable via `GoldenSignalMetricsOptions`.
-- Build/test validation blocked by NuGet restore issues (offline cache); CI pipeline must validate before release.
-- Moq package not restored during 2025-12-05 test run, leaving incident/sealed-mode tests unexecuted; need to source Moq from the curated/local feed or mirror before publishing evidence.
+- Telemetry test suite validated on 2025-12-05 using curated Moq package; rerun CI lane if package cache changes or new adapters are added.
 
 ## Next Checkpoints
 | Date (UTC) | Milestone | Owner(s) |
 | --- | --- | --- |
-| 2025-11-18 | Land Telemetry Core bootstrap sample in Orchestrator. | Telemetry Core Guild · Orchestrator Guild |
-| 2025-11-19 | Publish propagation adapter API draft. | Telemetry Core Guild |
-| 2025-11-21 | Security sign-off on scrub policy (POLICY-SEC-42-003). | Telemetry Core Guild · Security Guild |
-| 2025-11-22 | Incident/CLI toggle contract agreed (CLI-OBS-12-001 + NOTIFY-OBS-55-001). | Telemetry Core Guild · Notifications Service Guild · CLI Guild |
+| — | Sprint complete; rerun telemetry test lane if Security scrub policy or CLI toggle contract changes. | Telemetry Core Guild |