feat: Implement IsolatedReplayContext for deterministic audit replay

- Added IsolatedReplayContext class to provide an isolated environment for replaying audit bundles without external calls.
- Introduced methods for initializing the context, verifying input digests, and extracting inputs for policy evaluation.
- Created supporting interfaces and options for context configuration.

feat: Create ReplayExecutor for executing policy re-evaluation and verdict comparison

- Developed ReplayExecutor class to handle the execution of replay processes, including input verification and verdict comparison.
- Implemented detailed drift detection and error handling during replay execution.
- Added interfaces for policy evaluation and replay execution options.

feat: Add ScanSnapshotFetcher for fetching scan data and snapshots

- Introduced ScanSnapshotFetcher class to retrieve necessary scan data and snapshots for audit bundle creation.
- Implemented methods to fetch scan metadata, advisory feeds, policy snapshots, and VEX statements.
- Created supporting interfaces for scan data, feed snapshots, and policy snapshots.

src/Policy/StellaOps.Policy.Registry/Distribution/IPolicyPackOciPublisher.cs

@@ -0,0 +1,126 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+// Sprint: SPRINT_5200_0001_0001 - Starter Policy Template
+// Task: T7 - Policy Pack Distribution
+
+using StellaOps.Policy.Registry.Contracts;
+
+namespace StellaOps.Policy.Registry.Distribution;
+
+/// <summary>
+/// Interface for publishing policy packs to OCI registries.
+/// </summary>
+public interface IPolicyPackOciPublisher
+{
+    /// <summary>
+    /// Pushes a policy pack to an OCI registry.
+    /// </summary>
+    Task<PolicyPackPushResult> PushAsync(
+        PolicyPackPushRequest request,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Pulls a policy pack from an OCI registry.
+    /// </summary>
+    Task<PolicyPackPullResult> PullAsync(
+        string reference,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Lists available policy pack versions in a repository.
+    /// </summary>
+    Task<PolicyPackTagList> ListTagsAsync(
+        string repository,
+        CancellationToken cancellationToken = default);
+}
+
+/// <summary>
+/// Request to push a policy pack to OCI registry.
+/// </summary>
+public sealed record PolicyPackPushRequest
+{
+    /// <summary>
+    /// OCI reference (e.g., registry.example.com/policies/starter-day1:1.0.0).
+    /// </summary>
+    public required string Reference { get; init; }
+
+    /// <summary>
+    /// Policy pack content as YAML.
+    /// </summary>
+    public required byte[] PackContent { get; init; }
+
+    /// <summary>
+    /// Policy pack name.
+    /// </summary>
+    public required string PackName { get; init; }
+
+    /// <summary>
+    /// Policy pack version.
+    /// </summary>
+    public required string PackVersion { get; init; }
+
+    /// <summary>
+    /// Optional environment overrides to include.
+    /// </summary>
+    public IReadOnlyDictionary<string, byte[]>? Overrides { get; init; }
+
+    /// <summary>
+    /// Optional DSSE attestation envelope to include.
+    /// </summary>
+    public byte[]? Attestation { get; init; }
+
+    /// <summary>
+    /// Additional annotations to include in the manifest.
+    /// </summary>
+    public IReadOnlyDictionary<string, string>? Annotations { get; init; }
+}
+
+/// <summary>
+/// Result of pushing a policy pack to OCI registry.
+/// </summary>
+public sealed record PolicyPackPushResult
+{
+    public required bool Success { get; init; }
+    public string? ManifestDigest { get; init; }
+    public string? ManifestReference { get; init; }
+    public IReadOnlyList<string>? LayerDigests { get; init; }
+    public string? Error { get; init; }
+
+    public static PolicyPackPushResult Failed(string error) => new()
+    {
+        Success = false,
+        Error = error
+    };
+}
+
+/// <summary>
+/// Result of pulling a policy pack from OCI registry.
+/// </summary>
+public sealed record PolicyPackPullResult
+{
+    public required bool Success { get; init; }
+    public string? ManifestDigest { get; init; }
+    public byte[]? PackContent { get; init; }
+    public string? PackName { get; init; }
+    public string? PackVersion { get; init; }
+    public IReadOnlyDictionary<string, byte[]>? Overrides { get; init; }
+    public byte[]? Attestation { get; init; }
+    public IReadOnlyDictionary<string, string>? Annotations { get; init; }
+    public string? Error { get; init; }
+
+    public static PolicyPackPullResult Failed(string error) => new()
+    {
+        Success = false,
+        Error = error
+    };
+}
+
+/// <summary>
+/// List of available policy pack tags in a repository.
+/// </summary>
+public sealed record PolicyPackTagList
+{
+    public required bool Success { get; init; }
+    public required string Repository { get; init; }
+    public IReadOnlyList<string>? Tags { get; init; }
+    public string? Error { get; init; }
+}