Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools

- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.

docs/13_RELEASE_ENGINEERING_PLAYBOOK.md

@@ -65,6 +65,9 @@ graph LR
 `ops/devops/release/build_release.py` to build multi-arch images, attach
 CycloneDX SBOMs and SLSA provenance with Cosign, and emit
 `out/release/release.yaml` for downstream packaging (Helm, Compose, Offline Kit).
+The `build-test-deploy` workflow also runs
+`python ops/devops/release/test_verify_release.py` so release verifier
+regressions fail fast during every CI pass.
 
 ---
 
@@ -100,11 +103,12 @@ ouk fetch \
   --sign cosign.key
 ```
 
-### 4.2 Pipeline Hook
-
-* Runs on **first Friday** each month (cron).  
-* Generates tarball, signs it, uploads to **GitLab Release asset**.  
-* SHA‑256 + signature published alongside.
+### 4.2 Pipeline Hook
+
+* Runs on **first Friday** each month (cron).  
+* Generates tarball, signs it, uploads to **GitLab Release asset**.  
+* SHA‑256 + signature published alongside.
+* Release job must emit `out/release/debug/` with `debug-manifest.json` and `.sha256` so `ops/offline-kit/mirror_debug_store.py` can mirror symbols into the Offline Kit (see `DEVOPS-REL-17-004`).
 
 ### 4.3 Activation Flow (runtime)
 
@@ -123,12 +127,13 @@ CI job fails if token expiry < 29 days (guard against stale caches).
 
 ## 5 Artifact Signing & Transparency
 
-| Artefact     | Signer          | Tool                  |
-| ------------ | --------------- | --------------------- |
-| Git tags     | GPG (`0x90C4…`) | `git tag -s`          |
-| Containers   | Cosign key pair | `cosign sign`         |
-| Helm Charts  | prov file       | `helm package --sign` |
-| OUK tarballs | Cosign          | `cosign sign-blob`    |
+| Artefact     | Signer          | Tool/Notes                         |
+| ------------ | --------------- | ---------------------------------- |
+| Git tags     | GPG (`0x90C4…`) | `git tag -s`                       |
+| Containers   | Cosign key pair | `cosign sign`                      |
+| Helm Charts  | prov file       | `helm package --sign`              |
+| OUK tarballs | Cosign          | `cosign sign-blob`                 |
+| Debug store  | —               | `debug/debug-manifest.json` hashed |
 
 **Rekor** integration is **TODO** – once the internal Rekor mirror is online (`StellaOpsAttestor`) a post‑publish job will submit transparency log entries.
 
@@ -141,9 +146,20 @@ CI job fails if token expiry < 29 days (guard against stale caches).
 3. Tag `git tag -s X.Y.Z -m "Release X.Y.Z"` & push.  
 4. GitLab CI auto‑publishes images & charts.  
 5. Draft GitLab **Release Notes** using `tools/release-notes-gen`.  
-6. Verify SBOM attachment with `stella sbom verify stella/backend:X.Y.Z`.  
-7. Smoke‑test OUK tarball in offline lab.  
-8. Announce in `#stella-release` Mattermost channel.
+6. Verify SBOM attachment with `stella sbom verify stella/backend:X.Y.Z`.  
+7. Run the release verifier locally if CI isn’t available (mirrors the workflow step):  
+   `python ops/devops/release/test_verify_release.py`  
+8. Mirror the release debug store into the Offline Kit staging tree and re-check the manifest:
+   ```bash
+   ./ops/offline-kit/mirror_debug_store.py \
+     --release-dir out/release \
+     --offline-kit-dir out/offline-kit
+   jq '.artifacts | length' out/offline-kit/debug/debug-manifest.json
+   readelf -n /app/... | grep -i 'Build ID'
+   ```
+   Validate that the hash from `readelf` matches the `.build-id/<aa>/<rest>.debug` path created by the script.  
+9. Smoke-test OUK tarball in offline lab.  
+10. Announce in `#stella-release` Mattermost channel.
 
 ---