Add signal contracts for reachability, exploitability, trust, and unknown symbols

- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties.
- Implemented JSON serialization attributes for proper data interchange.
- Created project files for the new signal contracts library and corresponding test projects.
- Added deterministic test fixtures for micro-interaction testing.
- Included cryptographic keys for secure operations with cosign.

tests/EvidenceLocker/Bundles/Golden/README.md

@@ -3,9 +3,9 @@
 Purpose: reference bundles and replay records used by CI to prove deterministic packaging, DSSE subject stability, and portable redaction behaviour.
 
 ## Layout
-- `sealed/` – sealed `bundle.tgz` artifacts with matching `manifest.json`, `checksums.txt`, and expected Merkle root in `expected.json`.
-- `portable/` – redacted `portable-bundle-v1.tgz` paired with `expected.json` noting masked fields.
-- `replay/` – `replay.ndjson` records aligned to the bundle fixtures; ordering is canonical (recordedAtUtc, scanId).
+- `sealed/` – sealed bundle ingredients (`manifest.json`, `checksums.txt`, DSSE `signature.json`, `bundle.json`, evidence ndjson) plus `expected.json`.
+- `portable/` – redacted bundle ingredients and `expected.json` noting masked fields and tenant token.
+- `replay/` – `replay.ndjson` with `expected.json` (recordDigest, sequence, ledger URI); ordering is canonical (recordedAtUtc, scanId).
 
 ## Expectations
 - Gzip timestamp pinned to `2025-01-01T00:00:00Z`; tar entries use `0644` perms and fixed mtime.