feat: Implement IsolatedReplayContext for deterministic audit replay

- Added IsolatedReplayContext class to provide an isolated environment for replaying audit bundles without external calls.
- Introduced methods for initializing the context, verifying input digests, and extracting inputs for policy evaluation.
- Created supporting interfaces and options for context configuration.

feat: Create ReplayExecutor for executing policy re-evaluation and verdict comparison

- Developed ReplayExecutor class to handle the execution of replay processes, including input verification and verdict comparison.
- Implemented detailed drift detection and error handling during replay execution.
- Added interfaces for policy evaluation and replay execution options.

feat: Add ScanSnapshotFetcher for fetching scan data and snapshots

- Introduced ScanSnapshotFetcher class to retrieve necessary scan data and snapshots for audit bundle creation.
- Implemented methods to fetch scan metadata, advisory feeds, policy snapshots, and VEX statements.
- Created supporting interfaces for scan data, feed snapshots, and policy snapshots.

src/Cli/StellaOps.Cli/Services/Models/OciTypes.cs

@@ -0,0 +1,29 @@
+// -----------------------------------------------------------------------------
+// OciTypes.cs
+// Description: OCI registry types and constants for verdict attestation handling.
+// -----------------------------------------------------------------------------
+
+namespace StellaOps.Scanner.Storage.Oci;
+
+/// <summary>
+/// OCI media types for StellaOps artifacts.
+/// </summary>
+public static class OciMediaTypes
+{
+    public const string VerdictAttestation = "application/vnd.stellaops.verdict.attestation.v1+json";
+    public const string SbomAttestation = "application/vnd.stellaops.sbom.attestation.v1+json";
+    public const string PolicyAttestation = "application/vnd.stellaops.policy.attestation.v1+json";
+}
+
+/// <summary>
+/// OCI annotation keys for StellaOps artifacts.
+/// </summary>
+public static class OciAnnotations
+{
+    public const string StellaSbomDigest = "io.stellaops.sbom.digest";
+    public const string StellaFeedsDigest = "io.stellaops.feeds.digest";
+    public const string StellaPolicyDigest = "io.stellaops.policy.digest";
+    public const string StellaVerdictDecision = "io.stellaops.verdict.decision";
+    public const string StellaVerdictTimestamp = "io.stellaops.verdict.timestamp";
+    public const string StellaGraphRevisionId = "io.stellaops.graph.revision";
+}

src/Cli/StellaOps.Cli/Services/Models/PolicyUnknownsModels.cs

@@ -0,0 +1,34 @@
+// -----------------------------------------------------------------------------
+// PolicyUnknownsModels.cs
+// Description: Stub models for Policy Unknowns that are referenced by CLI commands.
+// -----------------------------------------------------------------------------
+
+namespace StellaOps.Policy.Unknowns.Models;
+
+/// <summary>
+/// Represents an unknown vulnerability or finding that could not be matched.
+/// </summary>
+public sealed record UnknownEntry
+{
+    public required string Id { get; init; }
+    public required string CveId { get; init; }
+    public string? Package { get; init; }
+    public string? Version { get; init; }
+    public required string Band { get; init; } // HOT, WARM, COLD
+    public double? Score { get; init; }
+    public required DateTimeOffset CreatedAt { get; init; }
+    public DateTimeOffset? EscalatedAt { get; init; }
+    public string? ReasonCode { get; init; }
+}
+
+/// <summary>
+/// Budget check result for unknowns.
+/// </summary>
+public sealed record UnknownsBudgetResult
+{
+    public required bool IsWithinBudget { get; init; }
+    public required string Environment { get; init; }
+    public int TotalUnknowns { get; init; }
+    public int? TotalLimit { get; init; }
+    public string? Message { get; init; }
+}