Add signal contracts for reachability, exploitability, trust, and unknown symbols

- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties.
- Implemented JSON serialization attributes for proper data interchange.
- Created project files for the new signal contracts library and corresponding test projects.
- Added deterministic test fixtures for micro-interaction testing.
- Included cryptographic keys for secure operations with cosign.

docs/modules/evidence-locker/CHANGELOG.md

@@ -0,0 +1,16 @@
+# StellaOps Evidence Locker – Changelog
+
+Semantic Versioning policy: MAJOR for breaking API/format changes; MINOR for new capabilities or schema additions; PATCH for fixes that do not change contracts. Dates are UTC.
+
+## 1.1.0 – 2025-12-04
+- Closed EB1–EB10 gaps from the 28-Nov-2025 advisory:
+  - Published canonical schemas `schemas/bundle.manifest.schema.json` and `schemas/checksums.schema.json`.
+  - DSSE subject now bound to the Merkle root (sha256 of `checksums.txt`); log policy captured for offline/online cases.
+  - Replay provenance block defined and embedded in manifest/attestation contracts.
+  - Incident-mode toggles recorded and signed; portable/redaction guidance formalized.
+  - Merkle/CAS recipe documented with deterministic gzip/tar invariants.
+  - Offline verifier guide + script published; golden sealed/portable bundles and replay NDJSON fixtures added under `tests/EvidenceLocker/Bundles/Golden/`.
+- Status: **Released** for documentation/fixtures; wire into code/tests before packaging a new binary drop.
+
+## 1.0.0 – 2025-11-19
+- Initial Evidence Bundle v1 contract and sample layout published.