Add signal contracts for reachability, exploitability, trust, and unknown symbols

- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties.
- Implemented JSON serialization attributes for proper data interchange.
- Created project files for the new signal contracts library and corresponding test projects.
- Added deterministic test fixtures for micro-interaction testing.
- Included cryptographic keys for secure operations with cosign.

offline/notifier/verify_notify_kit.sh

@@ -15,4 +15,42 @@ if [ "$missing" -ne 0 ]; then
   exit 1
 fi
 
-echo "[OK] Notify kit artefacts present (hash/signature verification placeholder)."
+python - <<'PY'
+import json, sys, pathlib, base64
+try:
+    import blake3
+except ImportError:
+    sys.stderr.write("blake3 module missing; install with `python -m pip install blake3`\n")
+    sys.exit(1)
+
+if '__file__' in globals() and __file__ not in (None, '<stdin>'):
+    root = pathlib.Path(__file__).resolve().parent
+else:
+    root = pathlib.Path.cwd()
+hashes = json.loads((root / "artifact-hashes.json").read_text())
+
+def h(path: pathlib.Path):
+    if path.suffix == ".json":
+        data = json.dumps(json.loads(path.read_text()), sort_keys=True, separators=(',', ':')).encode()
+    else:
+        data = path.read_bytes()
+    return blake3.blake3(data).hexdigest()
+
+ok = True
+for entry in hashes["entries"]:
+    path = root.parent.parent / entry["path"]
+    digest = entry["digest"]
+    if not path.exists():
+        sys.stderr.write(f"[FAIL] missing file {path}\n")
+        ok = False
+        continue
+    actual = h(path)
+    if actual != digest:
+        sys.stderr.write(f"[FAIL] digest mismatch {path}: expected {digest}, got {actual}\n")
+        ok = False
+
+if not ok:
+    sys.exit(1)
+
+print("[OK] All artifact hashes verified with blake3.")
+PY