Add property-based tests for SBOM/VEX document ordering and Unicode normalization determinism

- Implement `SbomVexOrderingDeterminismProperties` for testing component list and vulnerability metadata hash consistency.
- Create `UnicodeNormalizationDeterminismProperties` to validate NFC normalization and Unicode string handling.
- Add project file for `StellaOps.Testing.Determinism.Properties` with necessary dependencies.
- Introduce CI/CD template validation tests including YAML syntax checks and documentation content verification.
- Create validation script for CI/CD templates ensuring all required files and structures are present.

src/Signer/__Libraries/StellaOps.Signer.Keyless/SignerKeylessOptions.cs

@@ -0,0 +1,170 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace StellaOps.Signer.Keyless;
+
+/// <summary>
+/// Configuration options for keyless signing.
+/// </summary>
+public sealed class SignerKeylessOptions
+{
+    /// <summary>
+    /// Configuration section name.
+    /// </summary>
+    public const string SectionName = "Signer:Keyless";
+
+    /// <summary>
+    /// Whether keyless signing is enabled.
+    /// </summary>
+    public bool Enabled { get; set; }
+
+    /// <summary>
+    /// Fulcio CA configuration.
+    /// </summary>
+    public FulcioOptions Fulcio { get; set; } = new();
+
+    /// <summary>
+    /// OIDC configuration for token acquisition.
+    /// </summary>
+    public OidcOptions Oidc { get; set; } = new();
+
+    /// <summary>
+    /// Algorithm configuration.
+    /// </summary>
+    public AlgorithmOptions Algorithms { get; set; } = new();
+
+    /// <summary>
+    /// Certificate validation configuration.
+    /// </summary>
+    public CertificateOptions Certificate { get; set; } = new();
+
+    /// <summary>
+    /// Identity verification configuration.
+    /// </summary>
+    public IdentityOptions Identity { get; set; } = new();
+}
+
+/// <summary>
+/// Fulcio CA configuration options.
+/// </summary>
+public sealed class FulcioOptions
+{
+    /// <summary>
+    /// The Fulcio CA URL.
+    /// </summary>
+    [Required]
+    public string Url { get; set; } = "https://fulcio.sigstore.dev";
+
+    /// <summary>
+    /// Request timeout.
+    /// </summary>
+    public TimeSpan Timeout { get; set; } = TimeSpan.FromSeconds(30);
+
+    /// <summary>
+    /// Number of retry attempts.
+    /// </summary>
+    public int Retries { get; set; } = 3;
+
+    /// <summary>
+    /// Base duration for exponential backoff.
+    /// </summary>
+    public TimeSpan BackoffBase { get; set; } = TimeSpan.FromSeconds(1);
+
+    /// <summary>
+    /// Maximum backoff duration.
+    /// </summary>
+    public TimeSpan BackoffMax { get; set; } = TimeSpan.FromSeconds(30);
+}
+
+/// <summary>
+/// OIDC configuration for token acquisition.
+/// </summary>
+public sealed class OidcOptions
+{
+    /// <summary>
+    /// The OIDC issuer URL.
+    /// </summary>
+    public string? Issuer { get; set; }
+
+    /// <summary>
+    /// The OAuth2 client ID.
+    /// </summary>
+    public string? ClientId { get; set; }
+
+    /// <summary>
+    /// Reference to the client secret (e.g., "env:SIGNER_OIDC_CLIENT_SECRET").
+    /// </summary>
+    public string? ClientSecretRef { get; set; }
+
+    /// <summary>
+    /// Use ambient OIDC token from CI runner.
+    /// </summary>
+    public bool UseAmbientToken { get; set; }
+
+    /// <summary>
+    /// Path to ambient OIDC token file.
+    /// </summary>
+    public string? AmbientTokenPath { get; set; } = "/var/run/secrets/tokens/oidc";
+
+    /// <summary>
+    /// Token refresh interval before expiry.
+    /// </summary>
+    public TimeSpan RefreshBefore { get; set; } = TimeSpan.FromMinutes(1);
+}
+
+/// <summary>
+/// Algorithm configuration options.
+/// </summary>
+public sealed class AlgorithmOptions
+{
+    /// <summary>
+    /// Preferred algorithm for new signings.
+    /// </summary>
+    public string Preferred { get; set; } = KeylessAlgorithms.EcdsaP256;
+
+    /// <summary>
+    /// Allowed algorithms for signing.
+    /// </summary>
+    public List<string> Allowed { get; set; } = [KeylessAlgorithms.EcdsaP256, KeylessAlgorithms.Ed25519];
+}
+
+/// <summary>
+/// Certificate validation configuration options.
+/// </summary>
+public sealed class CertificateOptions
+{
+    /// <summary>
+    /// Path to Fulcio root CA bundle.
+    /// </summary>
+    public string? RootBundlePath { get; set; }
+
+    /// <summary>
+    /// Additional trusted root certificates (PEM format).
+    /// </summary>
+    public List<string> AdditionalRoots { get; set; } = [];
+
+    /// <summary>
+    /// Whether to validate the certificate chain.
+    /// </summary>
+    public bool ValidateChain { get; set; } = true;
+
+    /// <summary>
+    /// Whether to require Signed Certificate Timestamp (SCT).
+    /// </summary>
+    public bool RequireSct { get; set; } = true;
+}
+
+/// <summary>
+/// Identity verification configuration options.
+/// </summary>
+public sealed class IdentityOptions
+{
+    /// <summary>
+    /// Expected OIDC issuers for verification.
+    /// </summary>
+    public List<string> ExpectedIssuers { get; set; } = [];
+
+    /// <summary>
+    /// Expected subject patterns (regex) for SAN verification.
+    /// </summary>
+    public List<string> ExpectedSubjectPatterns { get; set; } = [];
+}