feat: Implement vulnerability token signing and verification utilities

- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.

src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/TaskPackPlannerTests.cs

@@ -1,6 +1,8 @@
-using System.Linq;
-using System.Text.Json.Nodes;
-using StellaOps.TaskRunner.Core.Planning;
+using System;
+using System.Linq;
+using System.Text.Json.Nodes;
+using StellaOps.AirGap.Policy;
+using StellaOps.TaskRunner.Core.Planning;
 
 namespace StellaOps.TaskRunner.Tests;
 
@@ -165,13 +167,62 @@ public sealed class TaskPackPlannerTests
     }
 
     [Fact]
-    public void Plan_WhenRequiredInputMissing_ReturnsError()
-    {
-        var manifest = TestManifests.Load(TestManifests.RequiredInput);
-        var planner = new TaskPackPlanner();
-
-        var result = planner.Plan(manifest);
-        Assert.False(result.Success);
-        Assert.Contains(result.Errors, error => error.Path == "inputs.sbomBundle");
-    }
-}
+    public void Plan_WhenRequiredInputMissing_ReturnsError()
+    {
+        var manifest = TestManifests.Load(TestManifests.RequiredInput);
+        var planner = new TaskPackPlanner();
+
+        var result = planner.Plan(manifest);
+        Assert.False(result.Success);
+        Assert.Contains(result.Errors, error => error.Path == "inputs.sbomBundle");
+    }
+
+    [Fact]
+    public void Plan_SealedMode_AllowsDeclaredEgress()
+    {
+        var manifest = TestManifests.Load(TestManifests.EgressAllowed);
+        var options = new EgressPolicyOptions
+        {
+            Mode = EgressPolicyMode.Sealed
+        };
+        options.AddAllowRule("mirror.internal", 443, EgressTransport.Https);
+
+        var planner = new TaskPackPlanner(new EgressPolicy(options));
+
+        var result = planner.Plan(manifest);
+
+        Assert.True(result.Success);
+    }
+
+    [Fact]
+    public void Plan_SealedMode_BlocksUndeclaredEgress()
+    {
+        var manifest = TestManifests.Load(TestManifests.EgressBlocked);
+        var options = new EgressPolicyOptions
+        {
+            Mode = EgressPolicyMode.Sealed
+        };
+        var planner = new TaskPackPlanner(new EgressPolicy(options));
+
+        var result = planner.Plan(manifest);
+
+        Assert.False(result.Success);
+        Assert.Contains(result.Errors, error => error.Message.Contains("example.com", StringComparison.OrdinalIgnoreCase));
+    }
+
+    [Fact]
+    public void Plan_SealedMode_RuntimeUrlWithoutDeclaration_ReturnsError()
+    {
+        var manifest = TestManifests.Load(TestManifests.EgressRuntime);
+        var options = new EgressPolicyOptions
+        {
+            Mode = EgressPolicyMode.Sealed
+        };
+        var planner = new TaskPackPlanner(new EgressPolicy(options));
+
+        var result = planner.Plan(manifest);
+
+        Assert.False(result.Success);
+        Assert.Contains(result.Errors, error => error.Path.StartsWith("spec.steps[0]", StringComparison.Ordinal));
+    }
+}