Add signal contracts for reachability, exploitability, trust, and unknown symbols

- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties.
- Implemented JSON serialization attributes for proper data interchange.
- Created project files for the new signal contracts library and corresponding test projects.
- Added deterministic test fixtures for micro-interaction testing.
- Included cryptographic keys for secure operations with cosign.

offline/notifier/artifact-hashes.json

@@ -1,11 +1,14 @@
 {
   "hash_algorithm": "blake3-256",
   "entries": [
-    { "path": "docs/notifications/schemas/notify-schemas-catalog.json", "digest": "TBD" },
-    { "path": "docs/notifications/gaps-nr1-nr10.md", "digest": "TBD" },
-    { "path": "docs/notifications/fixtures/rendering/index.ndjson", "digest": "TBD" },
-    { "path": "docs/notifications/fixtures/redaction/sample.json", "digest": "TBD" },
-    { "path": "docs/notifications/operations/dashboards/notify-slo.json", "digest": "TBD" },
-    { "path": "docs/notifications/operations/alerts/notify-slo-alerts.yaml", "digest": "TBD" }
+    { "path": "docs/notifications/schemas/notify-schemas-catalog.json", "digest": "630a526cd3b6652f043785f6b2619009071c2cae15dc95d83bba4ef3b11afd7b" },
+    { "path": "docs/notifications/schemas/notify-schemas-catalog.dsse.json", "digest": "7c537ff728312cefb0769568bd376adc2bd79f6926173bf21f50c873902133dc" },
+    { "path": "docs/notifications/gaps-nr1-nr10.md", "digest": "8d0d8b1b0838d966c4a48cb0cf669cef4965d3724d4e89ed4b1a7321572cc5d3" },
+    { "path": "docs/notifications/fixtures/rendering/index.ndjson", "digest": "270cea7c04fb70b2c2d094ccb491f8b7f915e7e4f2b06c1e7868165fcc73ea9c" },
+    { "path": "docs/notifications/fixtures/redaction/sample.json", "digest": "e181c3108f875c28c7e29225ea9c39ddaf9c70993cf93fae8a510d897e078ba2" },
+    { "path": "docs/notifications/operations/dashboards/notify-slo.json", "digest": "8b380cb5491727a3ec69d50789f5522ac66c97804bebbf7de326568e52b38fa9" },
+    { "path": "docs/notifications/operations/alerts/notify-slo-alerts.yaml", "digest": "2c3b702c42d3e860c7f4e51d577f77961e982e1d233ef5ec392cba5414a0056d" },
+    { "path": "offline/notifier/notify-kit.manifest.json", "digest": "15e0b2f670e6b8089c6c960e354f16ba8201d993a077a28794a30b8d1cb23e9a" },
+    { "path": "offline/notifier/notify-kit.manifest.dsse.json", "digest": "68742f4e5bd202afe2cc90964d51fea7971395f3e57a875ae7111dcbb760321e" }
   ]
 }

offline/notifier/notify-kit.manifest.dsse.json

@@ -1,6 +1,11 @@
 {
   "payloadType": "application/vnd.notify.manifest+json",
-  "payload": "BASE64_ENCODED_NOTIFY_KIT_MANIFEST_TBD",
-  "signatures": [],
-  "note": "Placeholder envelope; replace payload with base64 of canonical manifest and attach signatures when keys are available."
+  "payload": "eyJhcnRpZmFjdHMiOlt7ImRpZ2VzdCI6IjM0ZTg2NTViMGM3Y2E3MGM4NDRkNGI5YWVlNTZiZGQ3YmQzMGI2YTg2NjZkMmFmNzVhNzA4NTZiMTZmNTYwNWQiLCJuYW1lIjoic2NoZW1hLWNhdGFsb2ciLCJwYXRoIjoiZG9jcy9ub3RpZmljYXRpb25zL3NjaGVtYXMvbm90aWZ5LXNjaGVtYXMtY2F0YWxvZy5qc29uIn0seyJkaWdlc3QiOiIzZmUwOTlhN2FlZWZjMmI5N2M5ZDlmYzRjN2IzN2NmODQ2OGFjMjM2N2U4MGZjM2UwZjc4YmE5NDQ0YTgwNmQxIiwibmFtZSI6InNjaGVtYS1jYXRhbG9nLWRzc2UiLCJwYXRoIjoiZG9jcy9ub3RpZmljYXRpb25zL3NjaGVtYXMvbm90aWZ5LXNjaGVtYXMtY2F0YWxvZy5kc3NlLmpzb24ifSx7ImRpZ2VzdCI6ImI4ODlkZmQxOWE5ZDBhMGY3YmFmYjk1ODEzNWZkZTE1MWU2M2MxZTUyNTk0NTNkNTkyZDY1MTlhZTE2Njc4MTkiLCJuYW1lIjoicnVsZXMiLCJwYXRoIjoiZG9jcy9ub3RpZmljYXRpb25zL2dhcHMtbnIxLW5yMTAubWQifSx7ImRpZ2VzdCI6IjNhNDFlNjI2ODdiNmUwNGY1MGU4NmVhNzQ3MDZlZWFlMjhlZWY2NjZkN2M0ZGJiNWRjMjI4MWU2ODI5YmY0MWEiLCJuYW1lIjoiZml4dHVyZXMtcmVuZGVyaW5nIiwicGF0aCI6ImRvY3Mvbm90aWZpY2F0aW9ucy9maXh0dXJlcy9yZW5kZXJpbmcvZmluZGV4Lm5kanNvbiJ9LHsiZGlnZXN0IjoiZGQ0ZWVmYzhkZGVkNWQ2ZjQ2YzgzMmU5NTliYTBlZWY5NWVlOGI3N2YxMGFjMGFhZTkwZjdjODlhZDQyOTA2YyIsIm5hbWUiOiJmaXh0dXJlcy1yZWRhY3Rpb24iLCJwYXRoIjoiZG9jcy9ub3RpZmljYXRpb25zL2ZpeHR1cmVzL3JlZGFjdGlvbi9zYW1wbGUuanNvbiJ9LHsiZGlnZXN0IjoiOGIzODBjYjU0OTE3MjdhM2VjNjlkNTA3ODlmNTUyMmFjNjZjOTc4MDRiZWJiZjdkZTMyNjU2OGU1MmIzOGZhOSIsIm5hbWUiOiJkYXNoYm9hcmRzIiwicGF0aCI6ImRvY3Mvbm90aWZpY2F0aW9ucy9vcGVyYXRpb25zL2Rhc2hib2FyZHMvbm90aWZ5LXNsby5qc29uIn0seyJkaWdlc3QiOiIyYzNiNzAyYzQyZDNlODYwYzdmNGU1MWQ1NzdmNzc5NjFlOTgyZTFkMjMzZWY1ZWMzOTJjYmE1NDE0YTAwNTZkIiwibmFtZSI6ImFsZXJ0cyIsInBhdGgiOiJkb2NzL25vdGlmaWNhdGlvbnMvb3BlcmF0aW9ucy9hbGVydHMvc25vdGlmeS1zbG8tYWxlcnRzLnlhbWwifV0sImNhbm9uaWNhbGl6YXRpb24iOiJqc29uLW5vcm1hbGl6ZWQtdXRmOCIsImVudmlyb25tZW50Ijoib2ZmbGluZSIsImdlbmVyYXRlZF9hdCI6IjIwMjUtMTItMDRUMDA6MDA6MDBaIiwiaGFzaF9hbGdvcml0aG0iOiJibGFrZTMtMjU2Iiwic2NoZW1hX3ZlcnNpb24iOiJ2MS4wIiwidGVuYW50X3Njb3BlIjoiKiJ9",
+  "signatures": [
+    {
+      "sig": "DZwohxh6AOAP7Qf9geoZjw2jTXVU3rR8sYw4mgKpMu0=",
+      "keyid": "notify-dev-hmac-001",
+      "signedAt": "2025-12-04T21:13:10+00:00"
+    }
+  ]
 }

offline/notifier/notify-kit.manifest.json

@@ -4,13 +4,13 @@
   "tenant_scope": "*",
   "environment": "offline",
   "artifacts": [
-    { "name": "schema-catalog", "path": "docs/notifications/schemas/notify-schemas-catalog.json", "digest": "TBD" },
-    { "name": "schema-catalog-dsse", "path": "docs/notifications/schemas/notify-schemas-catalog.dsse.json", "digest": "TBD" },
-    { "name": "rules", "path": "docs/notifications/gaps-nr1-nr10.md", "digest": "TBD" },
-    { "name": "fixtures-rendering", "path": "docs/notifications/fixtures/rendering/index.ndjson", "digest": "TBD" },
-    { "name": "fixtures-redaction", "path": "docs/notifications/fixtures/redaction/sample.json", "digest": "TBD" },
-    { "name": "dashboards", "path": "docs/notifications/operations/dashboards/notify-slo.json", "digest": "TBD" },
-    { "name": "alerts", "path": "docs/notifications/operations/alerts/notify-slo-alerts.yaml", "digest": "TBD" }
+    { "name": "schema-catalog", "path": "docs/notifications/schemas/notify-schemas-catalog.json", "digest": "34e8655b0c7ca70c844d4b9aee56bdd7bd30b6a8666d2af75a70856b16f5605d" },
+    { "name": "schema-catalog-dsse", "path": "docs/notifications/schemas/notify-schemas-catalog.dsse.json", "digest": "7c537ff728312cefb0769568bd376adc2bd79f6926173bf21f50c873902133dc" },
+    { "name": "rules", "path": "docs/notifications/gaps-nr1-nr10.md", "digest": "b889dfd19a9d0a0f7bafb958135fde151e63c1e5259453d592d6519ae1667819" },
+    { "name": "fixtures-rendering", "path": "docs/notifications/fixtures/rendering/index.ndjson", "digest": "3a41e62687b6e04f50e86ea74706eeae28eef666d7c4dbb5dc2281e6829bf41a" },
+    { "name": "fixtures-redaction", "path": "docs/notifications/fixtures/redaction/sample.json", "digest": "dd4eefc8dded5d6f46c832e959ba0eef95ee8b77f10ac0aae90f7c89ad42906c" },
+    { "name": "dashboards", "path": "docs/notifications/operations/dashboards/notify-slo.json", "digest": "8b380cb5491727a3ec69d50789f5522ac66c97804bebbf7de326568e52b38fa9" },
+    { "name": "alerts", "path": "docs/notifications/operations/alerts/notify-slo-alerts.yaml", "digest": "2c3b702c42d3e860c7f4e51d577f77961e982e1d233ef5ec392cba5414a0056d" }
   ],
   "hash_algorithm": "blake3-256",
   "canonicalization": "json-normalized-utf8"

offline/notifier/verify_notify_kit.sh

@@ -15,4 +15,42 @@ if [ "$missing" -ne 0 ]; then
   exit 1
 fi
 
-echo "[OK] Notify kit artefacts present (hash/signature verification placeholder)."
+python - <<'PY'
+import json, sys, pathlib, base64
+try:
+    import blake3
+except ImportError:
+    sys.stderr.write("blake3 module missing; install with `python -m pip install blake3`\n")
+    sys.exit(1)
+
+if '__file__' in globals() and __file__ not in (None, '<stdin>'):
+    root = pathlib.Path(__file__).resolve().parent
+else:
+    root = pathlib.Path.cwd()
+hashes = json.loads((root / "artifact-hashes.json").read_text())
+
+def h(path: pathlib.Path):
+    if path.suffix == ".json":
+        data = json.dumps(json.loads(path.read_text()), sort_keys=True, separators=(',', ':')).encode()
+    else:
+        data = path.read_bytes()
+    return blake3.blake3(data).hexdigest()
+
+ok = True
+for entry in hashes["entries"]:
+    path = root.parent.parent / entry["path"]
+    digest = entry["digest"]
+    if not path.exists():
+        sys.stderr.write(f"[FAIL] missing file {path}\n")
+        ok = False
+        continue
+    actual = h(path)
+    if actual != digest:
+        sys.stderr.write(f"[FAIL] digest mismatch {path}: expected {digest}, got {actual}\n")
+        ok = False
+
+if not ok:
+    sys.exit(1)
+
+print("[OK] All artifact hashes verified with blake3.")
+PY