consolidation of some of the modules, localization fixes, product advisories work, qa work

src/Concelier/StellaOps.Excititor.WebService/Options/AirgapOptions.cs

@@ -0,0 +1,33 @@
+using System.Collections.Generic;
+
+namespace StellaOps.Excititor.WebService.Options;
+
+internal sealed class AirgapOptions
+{
+    public const string SectionName = "Excititor:Airgap";
+
+    /// <summary>
+    /// Enables sealed-mode enforcement for air-gapped imports.
+    /// When true, external payload URLs are rejected and publisher allowlist is applied.
+    /// </summary>
+    public bool SealedMode { get; set; } = false;
+
+    /// <summary>
+    /// When true, imports must originate from mirror/offline sources (no HTTP/HTTPS URLs).
+    /// </summary>
+    public bool MirrorOnly { get; set; } = true;
+
+    /// <summary>
+    /// Optional allowlist of publishers that may submit bundles while sealed mode is enabled.
+    /// Empty list means allow all.
+    /// </summary>
+    public List<string> TrustedPublishers { get; } = new();
+
+    /// <summary>
+    /// Optional root path for locally stored locker artefacts (portable manifest, evidence NDJSON).
+    /// When set, /evidence/vex/locker/* endpoints will attempt to read files from this root to
+    /// compute deterministic hashes and sizes; otherwise only stored hashes are returned.
+    /// </summary>
+    public string? LockerRootPath { get; set; }
+        = null;
+}